Ivanti warns customers another zero-day is under active attack

U.S. software giant Ivanti has scrambled to patch another zero-day vulnerability under active attack.

The vulnerability, tracked as CVE-2023-38035 with a vulnerability severity rating of 9.8 out of 10, affects the software company’s Sentry product. Ivanti Sentry (formerly MobileIron Sentry) is a mobile gateway designed to manage, encrypt and secure network traffic between employee devices and a company's back-end systems.

The new vulnerability — known as a zero-day because the company had no time to fix the bug before it was exploited — allows unauthenticated attackers to access sensitive APIs used to configure the Ivanti Sentry on the administrator portal, the company said. Successful exploitation of the zero-day could allow hackers to change configuration, run system commands or write files onto the system.

In its advisory, Ivanti states that while the issue has a high severity rating, “there is a low risk of exploitation for customers who do not expose port 8443 to the internet,” referring to the default internet-facing port that the software is installed with. However, the company says that attackers have already exploited the vulnerability to target a “limited” number of its customers.

Ivanti has not yet said how many customers were compromised and did not respond to TechCrunch's questions.

More Ivanti customers are likely at risk, as the vulnerability — discovered and reported by Norwegian cybersecurity company Mnemonic — affects all supported versions of the Sentry software, and Ivanti has warned older versions of the tool are also at risk. Ivanti urged customers to disconnect their servers from the internet and to restrict access to internal management networks.

This latest zero-day is the third Ivanti vulnerability that hackers have exploited in recent months.

It was confirmed earlier this month that state-backed attackers had compromised multiple Norwegian government agencies by exploiting a previously undiscovered flaw (CVE-2023-35078) in Ivanti Endpoint Manager Mobile (EPMM; formerly MobileIron Core). In a separate advisory, the U.S. government’s cybersecurity agency CISA warned that this flaw could be chained with a second vulnerability (CVE-2023-35081) to reduce the complexity of carrying out attacks.

It’s not yet known who is behind the attacks leveraging zero-days in Ivanti’s software. CISA has linked previous intrusions in Ivanti's software to Chinese state-sponsored hackers.