A recently disclosed critical server-side request forgery (SSRF) vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure, designated as CVE-2024-21893, has become a target for mass exploitation by numerous attackers.

According to reports from the threat monitoring service Shadowserver, the exploitation volume of CVE-2024-21893 far exceeds that of other recently addressed Ivanti vulnerabilities. The organization said it has observed 170 distinct IP addresses attempting to exploit the flaw.

“We observed CVE-2024-21893 exploitation using '/dana-na/auth/saml-logout.cgi' on Feb 2nd hours before Rapid7 posting & unsurprisingly lots to '/dana-ws/saml20.ws' after publication. This includes reverse shell attempts & other checks. To date, over 170 attacking IPs involved,” Shadowserver wrote in a post on X (formerly Twitter). It also released a one-time special report containing information about Ivanti Connect Secure appliances known to be vulnerable to the exploit chain detailed by cybersecurity firm Rapid7.

According to Rapid7 researchers, CVE-2024-21893 can be leveraged to successfully bypass the original mitigation for the CVE-2023-46805 and CVE-2024-21887 exploit chain leveraged by the China-linked threat actor tracked as UNC5221/UTA0178 to install web shells and backdoors on compromised devices. At its peak, infections from this campaign soared to over 1,700 breached devices.

In addition, Synacktiv researchers observed threat actors exploiting CVE-2023-46805 and CVE-2024-21887 to deliver a Rust-based malware called “KrustyLoader” to deploy Sliver, a Golang-based cross-platform post-exploitation framework used by malicious actors as an alternative to the Cobalt Strike tool.

Following the recent developments, the European Commission, ENISA, the EU Agency for Cybersecurity, CERT-EU, Europol and the network of the EU national computer security incident response teams (CSIRTs network) released a joint statement urging organizations to regularly check the guidance provided by the CSIRTs Network members and CERT-EU for the latest assessment and advice, as well as the detailed vendor instructions.