Ivanti has released a security update to address an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) in all supported versions (9.x and 22.x) of Connect Secure and Policy Secure gateways. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.
Ivanti reports active exploitation of both CVE-2023-46805 and CVE-2024-21887.
CISA urges users and administrators to immediately review Ivanti’s security update and apply the current workaround. CISA will update this alert as Ivanti releases patches.