The U.S. cybersecurity agency CISA has ordered federal agencies to urgently disconnect IvantiVPN equipment because the equipment contains multiple software flaws and poses the risk of being maliciously exploited. In an update to an emergency directive first issued last week, CISA is now requiring all federal civilian executive branch agencies (the list includes the Department of Homeland Security and the Securities and Exchange Commission) to disconnect all IvantiVPN devices because malicious hackers are currently exploiting numerous zero-day vulnerabilities to pose a "serious threat."

While federal agencies typically have weeks to patch vulnerabilities, CISA has ordered IvantiVPN devices to be disconnected within 48 hours.

"Agencies running the affected products (IvantiConnectSecure or IvantiPolicySecure solutions) must immediately perform the following tasks: Disconnect all IvantiConnectSecure and IvantiPolicySecure solution product instances from the agency network as quickly as possible by 11:59PM on Friday, February 2, 2024," the emergency directive, updated Wednesday, reads.

Just hours before CISA issued the warning, Ivanti claimed to have discovered a third zero-day vulnerability that was being actively exploited.

Security researchers say Chinese state-backed hackers have exploited at least two IvantiConnectSecure vulnerabilities - tracked as CVE-2023-46805 and CVE-2024-21887 - since December. Ivanti said on Wednesday it had discovered two more vulnerabilities - CVE-2024-21888 and CVE-2024-21893, the latter of which had been exploited in "targeted" attacks. CISA previously said it had "observed some preliminary attacks targeting federal agencies."

Steven Adair, founder of cybersecurity company Volexity, said Thursday that at least 2,200 Ivanti devices have been compromised so far. That's an increase of 500 units from the 1,700 the company tracked earlier this month, although Volexity noted that "the total is likely much higher."

In an update to the emergency directive, CISA informed agencies that after disconnecting vulnerable Ivanti products, agencies must continue threat hunting on any systems connected to affected devices, monitor for potentially exposed authentication or identity management services, and continue to audit permission levels of access accounts.

CISA also provided instructions for restoring Ivanti equipment online, but did not give federal agencies a deadline to restore Ivanti equipment online.

"CISA has effectively directed federal agencies to adopt a method for deploying [IvantiConnectSecure] VPN devices that are considered freshly installed and patched as a requirement to bring them back online," Adari said. "If any agency wants to be completely sure that its devices are operating in a known good and trusted state, this may be the best course of action."

Following a warning from CISA that malicious actors were bypassing the mitigations released for the first two vulnerabilities, Ivanti this week provided patches for select versions of software affected by the three actively exploited vulnerabilities. Ivanti is also urging customers to factory reset their devices before patching to prevent hackers from gaining persistent access on their networks.