The Australian Cyber Security Centre (ACSC) has issued an alert about critical vulnerabilities in the Ivanti Connect Secure (ICS) VPN and the Ivanti Policy Secure (IPS) network access control solution.
An authentication bypass vulnerability in the web component of both solutions allows a remote attacker to access restricted resources by bypassing control checks, the ACSC reports.
A command injection vulnerability in web components of ICS and IPS allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Ivanti is aware of active exploitation of these vulnerabilities.
The ACSC encouraged application of any available mitigations and patches as soon as possible.
Ivanti’s advisory stated that patches “will be released in a staggered schedule with the first version targeted to be available to customers the week of 22 January and the final version targeted to be available the week of 19 February.”
“We are providing mitigation now while the patch is in development to prioritise the best interest of our customers.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
