Ivanti VPN malware can survive a factory reset, warns CISA

The Chinese threat actor UNC5325 is reported by security vendor Mandiant to be actively exploiting the vulnerabilities.

Ivanti VPN malware can survive a factory reset, warns CISA

The U.S. Cybersecurity and Infrastructure Agency (CISA) has warned that attackers exploiting vulnerabilities in Ivanti VPN appliances can maintain a presence on infected devices, even after a factory reset.

Attackers can also evade detection by Ivanti's Integrity Checker Tool.

The agency is urging users of Ivanti Connect Secure and Ivanti Policy Secure VPN appliances to take urgent measures to mitigate the threat, and to consider replacing them altogether.

The vulnerabilities (tracked as CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, CVE-2024-21893) allow authentication bypass, command injection, server-side request forgery and arbitrary command execution.

They have already been exploited on several occasions since being publicly disclosed in January 2024. Another vulnerability (CVE-2021-22893) was previously used in 2021 to breach dozens of organizations in the U.S. and Europe.

The Chinese threat actor UNC5325 is reported by security vendor Mandiant to be actively exploiting the vulnerabilities to deploy malware that can survive factory resets and patches. Another Chinese group UNC3886 may also be exploiting the flaws.

CISA's research found that Ivanti's Integrity Checker Tool was not always effective in detecting compromise. Ivanti has since released an updated version of the scanning tool.

In an advisory the agency said that organizations using the affected VPN appliances should immediately:

  1. Limit outbound internet connections from SSL VPN appliances to restrict access to required services.
  2. Keep all operating systems and firmware up to date.
  3. Limit SSL VPN connections to unprivileged accounts.

Security teams should "assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time," the advisory, published February 29, said.

It added that organizations should "consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment."

We have contacted Ivanti for comment.

This article originally appeared on our sister site Computing.