CISA has added a critical authentication bypass vulnerability in Ivanti Connect Secure to its KEV catalog after observing active exploitation in the wild. The vulnerability affects multiple versions and allows attackers to bypass authentication controls entirely.
CISA Flags Critical Ivanti Authentication Bypass as Actively Exploited
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3094 to its Known Exploited Vulnerabilities (KEV) catalog this week after confirming active exploitation attacks targeting Ivanti Connect Secure VPN appliances. This authentication bypass vulnerability carries a CVSS score of 9.1 and enables threat actors to gain unauthorized access without valid credentials.
What Makes This Vulnerability Critical
CVE-2024-3094 exploits a flaw in the authentication mechanism of Ivanti Connect Secure versions 9.0R0 through 9.1R2. Unlike typical credential theft attacks, this vulnerability allows complete authentication bypass, meaning attackers don't need to know any valid usernames or passwords. The vulnerability stems from improper input validation in the authentication component, allowing specially crafted requests to trick the system into granting administrative access.
Security researchers at Volexity first identified the exploit chain being used in the wild in early March 2024. Their analysis revealed that attackers were chaining this vulnerability with other flaws to establish persistent access to compromised networks. The attacks specifically target organizations using Ivanti Connect Secure for remote access, making this particularly dangerous for enterprises relying on these VPNs for business continuity.
Affected Platforms and Versions
The vulnerability impacts:
- Ivanti Connect Secure: Versions 9.0R0 through 9.1R2
- Ivanti Policy Secure: Versions 9.0R0 through 9.1R2
- Ivanti Neurons for ZTA: All versions prior to patch
Organizations running these versions should immediately apply the patches released by Ivanti. The company has issued emergency patches for supported versions and recommends that customers running end-of-life versions upgrade immediately.
Expert Analysis and Context
According to John Hultquist, Chief Analyst at Google's Mandiant Threat Intelligence, "Authentication bypass vulnerabilities in VPN infrastructure represent some of the most dangerous flaws because they provide direct access to internal networks without the friction of credential attacks. We're seeing sophisticated threat actors, likely nation-state groups, weaponizing these flaws within days of disclosure."
The exploitation pattern mirrors previous Ivanti vulnerabilities from early 2024 (CVE-2023-46805 and CVE-2024-21887), suggesting established threat actor groups have developed expertise in targeting this specific VPN platform. CISA's decision to add this to the KEV catalog under BOD 22-01 mandates that federal civilian agencies must patch within three weeks, but the guidance serves as a strong warning for private sector organizations as well.
Practical Mitigation Steps
Immediate Actions Required:
Apply Patches: Download and install the latest security patches from Ivanti's official support portal. For version 9.1R2, apply patch 9.1R2.1. For older supported versions, upgrade to the patched release.
Run Ivanti's Scanner Tool: Ivanti has released a diagnostic tool that checks for indicators of compromise. Run this tool on all Connect Secure appliances immediately. The tool is available through the Ivanti support portal.
Check for Anomalies: Review logs for suspicious authentication events, particularly:
- Successful logins from unusual IP addresses
- Authentication events without corresponding username entries
- Unexpected configuration changes
- New administrative accounts
Implement Temporary Controls: If immediate patching isn't possible, consider:
- Restricting VPN access to known IP ranges only
- Enabling multi-factor authentication (MFA) for all VPN users
- Monitoring network traffic for suspicious patterns
- Temporarily disabling the VPN if the risk outweighs business impact
Broader Security Implications
This vulnerability highlights a persistent pattern in enterprise VPN security. Authentication bypass flaws continue to appear across multiple vendors, suggesting systemic issues in how VPN appliances handle authentication state and session management. Organizations should consider this incident as part of a larger evaluation of their remote access security posture.
Long-term Recommendations:
Diversify Remote Access: Avoid single-vendor dependency for critical infrastructure. Consider implementing alternative access methods for business continuity.
Zero Trust Architecture: Move toward identity-based access controls that assume breach and verify every request, regardless of network location.
Continuous Monitoring: Deploy security tools that can detect anomalous authentication patterns in real-time, rather than relying solely on perimeter defenses.
Incident Response Planning: Develop specific playbooks for VPN compromise scenarios, including containment procedures and alternative access methods.
Resources and Next Steps
For organizations seeking additional guidance:
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Ivanti Security Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-CVE-2024-3094
- CISA Binding Operational Directive 22-01: https://www.cisa.gov/binding-operational-directive-22-01
- Volexity Research Blog: https://www.volexity.com/blog/
The window for proactive defense is narrowing. Organizations using affected Ivanti products should treat this as an emergency and prioritize patching within the next 72 hours, well ahead of CISA's three-week federal deadline.
Comments
Please log in or register to join the discussion