Published on: 2025-04-07

Intelligence Report: US CISA adds Ivanti Connect Secure Policy Secure and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog – Securityaffairs.com

1. BLUF (Bottom Line Up Front)

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Ivanti Connect Secure Policy Secure and ZTA Gateways to its Known Exploited Vulnerabilities catalog. This vulnerability, tracked as CVE, allows for remote code execution and has been actively exploited by a China-linked threat actor. Immediate action is recommended for organizations using affected Ivanti products to apply security patches and monitor for signs of compromise.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

The vulnerability in question involves a stack-based buffer overflow that can be exploited for remote code execution. Ivanti released a security update in February to address this issue, but exploitation attempts have been linked to a cyberespionage group identified as UNC. The flaw impacts older versions of Ivanti Connect Secure, which reached end-of-support in December. Despite the release of patches, a limited number of customers remain vulnerable due to delayed updates.

3. Implications and Strategic Risks

The exploitation of this vulnerability poses significant risks to national security, particularly due to its association with a state-linked actor. The potential for unauthorized access and data exfiltration could impact government agencies and private sector entities. Additionally, the deployment of malware families such as Trailblaze and Brushfire indicates a sophisticated threat landscape that could lead to further cyberespionage activities.

4. Recommendations and Outlook

Recommendations:

• Organizations using Ivanti products should immediately apply the latest security patches and monitor their systems for signs of compromise.
• Regularly update and review cybersecurity protocols to ensure they align with the latest threat intelligence.
• Federal agencies should enforce compliance with CISA directives to mitigate vulnerabilities effectively.

Outlook:

In the best-case scenario, swift patching and monitoring will prevent further exploitation. The worst-case scenario involves continued exploitation leading to significant data breaches and espionage activities. The most likely outcome is a mixed scenario where some organizations successfully mitigate the threat while others remain vulnerable due to delayed action.

5. Key Individuals and Entities

The report mentions significant individuals and organizations such as Ivanti, Mandiant, and Google Threat Intelligence Group. The cyberespionage group identified as UNC is also highlighted as a key actor in the exploitation of this vulnerability.