Ivanti Zero-Days – What You Need to Know

Cyber news this week includes multiple headlines about zero-days in the Ivanti Connect Secure and Policy Secure gateway products.

Cyber news this week includes multiple headlines about zero-days in the Ivanti Connect Secure and Policy Secure gateway products.1 The company announced two zero-days (CVE 2024-21887 and 2023-46805) on January 10th and an additional two zero-days in this investigation (CVE 2024-21888 and CVE 2024-28193). On January 31st, CISA issued an advisory notice instructing federal agencies to disconnect these Ivanti products by February 3rd2 and provided mitigation suggestions to organizations.

Of the four zero-days, active exploitation has been observed for three of them. Ivanti has stated there is no evidence of exploitation for CVE 2024-21888. This is a common issue when companies announce new vulnerabilities as not all of them will be under exploitation, and some may not even be exploitable.

It is important to note that the exploitation has been attributed to a Chinese espionage group, tracked as UNC5221. This identifier is new and has been created as this campaign is investigated further. Espionage groups typically target government organizations or organizations that have intellectual property aligned to their goals. As such, the directive by CISA is justified, but the urgency may not be as relevant to smaller businesses without information of interest to nation-state threat actors. However, financially motivated threat actors may adapt their techniques in the coming weeks to take advantage of the new vulnerabilities.

While delayed, Ivanti issued patches for these vulnerabilities on January 31st. The CISA statement advises organizations to conduct threat hunting on their systems if they have been running these products in the last few weeks. Details of threat actor activity after exploitation and indicators of compromise (IOCs) can be found here.


    1. Organizations that are a target for nation-states should pay particular attention to this campaign and mitigation advice.
    2. Organizations that are not a target should patch their systems and conduct threat-hunting.
    3. Organizations should continue to prioritize vulnerabilities that are known to be exploited before prioritizing others.

Share the Article

Recent Articles

New SIM Swapping Attacks

According to new research, eSIM cards are being hijacked for cyber attacks. eSIM cards are remotely programmable chips that are stored within phones and other wearable devices.

Read More »
Scroll to Top

This website uses cookies to improve your browsing experience. By clicking accept, you consent to the use of cookies. To learn more about the cookies we use, visit our Privacy & Cookie Policy.

Report a New Incident

Your incident report has been submitted.