Latest Ivanti gateway vulnerabilities

On January 8th, 2025, Ivanti disclosed vulnerabilities in their Ivanti Connect Secure, Ivanti Policy Secure, and Neurons for ZTA products.

• CVE-2025-0282 – is rated critical with a CVSS score of 9.0. Successful exploitation of this vulnerability would allow a remote unauthenticated attacker to execute arbitrary code on the vulnerable system.
• CVE-2025-0283 – is rated high with a CVSS score of 7.0. Successful exploitation of this vulnerability would allow a local authenticated attacker to execute arbitrary code on the vulnerable system.

Note that the vendor has indicated that there is evidence that these vulnerabilities are being exploited in the wild.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code, potentially leading to complete system compromise.

Are updates or workarounds available?

Ivanti has released updates to address these vulnerabilities. Users are urged to update all systems as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

product:"Policy Secure" OR product:"Connect Secure"

December 2024 (Multiple CVEs)

On December 10th, 2024, Ivanti disclosed vulnerabilities in their Ivanti Connect Secure and Ivanti Policy Secure products.

• CVE-2024-11633 and CVE-2024-11634 are rated critical with CVSS scores of 9.1. Successful exploitation of these vulnerabilities would allow an authenticated attacker to execute arbitrary code on the affected system.
• CVE-2024-37401 and CVE-2024-37377 are rated high with a CVSS score of 7.5 and could allow a remote, unauthenticated attacker to create a denial-of-service condition on vulnerable systems.
• CVE-2024-9844 is rated high with a CVSS score of 7.1 and could allow a remote, authenticated attacker to bypass application restrictions.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code, read potentially sensitive resources, or create a denial-of-service (DoS) condition on affected devices.

Are updates or workarounds available?

Ivanti has released patches to address these vulnerabilities, and all users are urged to update as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

product:"Policy Secure" OR product:"Connect Secure"

April 2024 (Multiple CVEs)

On April 2, 2024, Ivanti disclosed multiple vulnerabilities in their Ivanti Connect Secure and Ivanti Policy Secure products.

• CVE-2024-21894 is rated high with CVSS score of 8.2 and allows an unauthenticated attacker to potentially execute arbitrary code on the affected system.
• CVE-2024-22052 is rated high with CVSS score of 7.5 and allows an unauthenticated attacker to create a denial-of-service (DoS) condition on affected systems.
• CVE-2024-22053 is rated high with a CVSS score of 8.2 would allow an unauthenticated attacker to read potentially sensitive memory contents.
• CVE-2024-22023 is rated medium with a CVSS score of 5.3 and would allow an unauthenticated attacker to create a denial-of-service (DoS) condition on affected systems.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code, read potentially sensitive memory, or create a denial-of-service (DoS) condition on affected devices.

Are updates or workarounds available?

Ivanti has released patches to address these vulnerabilities, and all users are urged to update as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

product:"Policy Secure" OR product:"Connect Secure"

Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.

February 2024 (CVE-2024-22024)

On February 8th, 2024, Ivanti disclosed a serious vulnerability, CVE-2024-22024, which allowed attackers to bypass authentication on the affected device to reach restricted resources. This vulnerability earned a CVSS score of 8.3 out of 10, indicating a high degree of severity.

The vendor reported that there were no indications that this vulnerability had been exploited in the wild.

What was the impact?

Upon successful exploitation of these vulnerabilities, attackers could access restricted resources on the vulnerable system without authentication. The vendor did not specify which resources were reachable without authentication, but did indicate that such resources were restricted.

Ivanti released an update to mitigate the issue (note that the provided link also discusses previous vulnerabilities in the same products). Users were urged to update as quickly as possible.

January 2024 vulnerabilities

On January 10th, 2024, Ivanti disclosed two serious vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure products.

The first issue, CVE-2023-46805, allowed attackers to bypass authentication controls to access restricted resources without authentication. This vulnerability earned a CVSS score of 8.2 out of 10, indicating a high degree of impact.

The second issue, CVE-2024-21887, allowed attackers to inject arbitrary commands to be executed on the affected device. Attackers had to be authenticated to exploit this vulnerability, but attackers might have been able to use the authentication bypass vulnerability above to achieve this. This vulnerability had a CVSS score of 9.1 out of 10, indicating a critical vulnerability.

The vendor reported that there were indications that these vulnerabilities had been exploited in the wild.

What was the impact?

Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary commands on the vulnerable system. This included the creation of new users, installation of additional modules or code, and, in general, system compromise.

Ivanti released an update to mitigate this issue. Users were urged to update as quickly as possible.

How to find potentially vulnerable products that expose a web interface 

From the Services Inventory, use the following query to locate assets running the vulnerable products in your network that expose a web interface and which may need remediation or mitigation:

_asset.protocol:http AND protocol:http AND http.body:"welcome.cgi?p=logo"

Latest BeyondTrust vulnerability (CVE-2024-12356)

BeyondTrust disclosed that affects their Privileged Remote Access (PRA) and Remote Support (RS) appliances. This has also been added to the CISA KEV as it has been exploited in the wild.

• CVE-2024-12356 is rated highly-critical with a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an attacker execute arbitrary commands on the appliance.

What is the impact?

The issue impacts PRA and RS versions 24.3.1 and earlier.

Are updates or workarounds available?

BeyondTrust has released a patch for all supported iterations of PRA and RS versions 22.1.x and higher and has applied the patch to cloud customers earlier this week.

How do I find potentially vulnerable systems with runZero?

From the Services Inventory, use the following query to locate systems running potentially vulnerable software: 

vendor:BeyondTrust or http.body:BeyondTrust

From the Assets Inventory, use the following query to locate systems running potentially vulnerable software:

os:BeyondTrust OR hw:BeyondTrust OR os:Bomgar OR hw:Bomgar

China’s state-sponsored cyber operations—aptly nicknamed with “Typhoon” monikers—have been brewing trouble for over a decade. From Violet to Salt Typhoon, these advanced persistent threat (APT) groups have been wreaking havoc on government entities, critical infrastructure, and other high-value targets. Their evolution highlights one thing loud and clear: attackers are always one step ahead, looking for the weakest link.

But fear not—there’s a way to outpace these storms. Let’s break down what these Typhoons have been up to and how runZero brings calm to the chaos with unparalleled visibility and proactive defense.

The Typhoon Timeline: An Evolution of Threats

The Typhoon story began with Violet Typhoon, which stuck to the basics: phishing, exploiting known vulnerabilities, and going after traditional IT systems. They were your typical “steal the sensitive data and run” kind of crew.

Then came Volt Typhoon, which shifted focus to U.S. critical infrastructure. They embraced “living off the land” techniques, cleverly blending into hybrid IT and OT environments while avoiding detection. Think of them as the first innovators of the Typhoons.

Not to be outdone, Flax Typhoon targeted IoT devices like cameras and DVRs, transforming these “unimportant” devices into powerful botnets. It was a wake-up call for organizations ignoring their IoT inventory.

And now, Salt Typhoon has arrived, skillfully exploiting IT, OT, and IoT systems with alarming precision. Their primary focus? Telecommunications providers and ISPs, where they leverage trusted devices and connections to steal customer call records, compromise private communications—particularly those of individuals involved in government or political activities—and access sensitive information tied to U.S. law enforcement requests under court orders.

Why Visibility is the Game-Changer

The Typhoon saga reveals one critical truth: attackers will find the blind spots in your network. Whether it’s a forgotten IoT device, an outdated VPN concentrator, or a misconfigured firewall, these gaps become open doors for adversaries.

That’s why visibility—complete visibility—is key to staying ahead. Enter runZero.

How runZero Helps You Outmaneuver Salt Typhoon

Salt Typhoon thrives on exploiting edge devices and blending into your network. But runZero makes their job infinitely harder. Here’s how we give you the upper hand:

• Proactive Edge Discovery: With real-time scanning and unmatched fingerprinting capabilities, runZero identifies every device—routers, firewalls, switches—before attackers can. Firmware versions? Check. Misconfigurations? Double-check.
• Mapping Internal Pathways: Once inside, attackers aim to move laterally. runZero lights up internal pathways, exposing high-risk devices and connections that could serve as stepping stones for adversaries.
• Correlating Internal and External Risks: Unlike siloed tools, runZero connects the dots between internal and external assets, revealing shared vulnerabilities and dependencies. That’s insight no other platform offers.
• Risk-Based Prioritization: runZero doesn’t just throw vulnerabilities at you. It ranks them by exploitability, exposure pathways, and criticality, so you can tackle the most pressing issues first.
• Continuous Monitoring: Networks change constantly, and so do risks. With runZero’s continuous discovery, you’ll always have an up-to-date picture of your attack surface.

Actionable Insights for Real-World Defense

Need proof of what runZero can do? Let’s take CISA’s latest guidance tailored to counter Salt Typhoon’s tactics and the queries you can use in the runZero platform to identify assets at risk.

Strengthening Visibility: Monitoring: Network Engineers

If feasible, limit exposure of management traffic to the Internet. Only allow management via a limited and enforced network path, ideally only directly from dedicated administrative workstations. Do not manage devices from the internet. Only allow device management from trusted devices on trusted networks.

# Service Query
(type:router OR type:switch OR type:firewall) AND (port:80 OR port:443) AND has_public:true

Monitor user and service account logins for anomalies that could indicate potential malicious activity. Validate all accounts and disable inactive accounts to reduce the attack surface. Monitor logins occurring internally and externally from the management environment.

# Users Query
alive:t AND (
  isDisabled:true
OR
  (source:googleworkspace suspended:t)
OR
  (source:googleworkspace isEnforcedIn2Sv:f)
OR
  (has:accountExpiresTS)
OR
  (isDisabled:true)
OR
  (passwordExpired:true OR msDS-UserPasswordExpiryTimeComputedTS:<now))

Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring. runZero can track and incorporate end-of-life data from a variety of sources.

# Asset Query
os_eol_expired:t

Monitoring: Network Engineers

Closely monitor all devices that accept external connections from outside the corporate network

# Asset Query
has_public:t

IPsec tunnel usage

# Service Query
protocol:ike

Hardening Systems & Devices: Protocols and Management Processes: Network Engineers

Additionally, as a general strategy, put devices with similar purposes in the same VLAN. For example, place all user workstations from a certain team in one VLAN, while putting another team with different functions in a separate VLAN. runZero’s innovative outlier score can help locate devices that don’t look like others in the same site.

# Asset Query
outlier:>=2

if using Simple Network Management Protocol (SNMP), ensure only SNMP v3 with encryption and authentication is used

# Service Query
protocol:snmp1 or protocol:snmp2 or protocol:snmp2c

Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP).

# Service Query
protocol:cdp

Ensure Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit over a network.

# Service Query
tls.supportedVersionNames:"SSL" OR tls.supportedVersionNames:"TLSv1.0" OR tls.supportedVersionNames:"TLSv1.1" OR tls.supportedVersionNames:"TLSv1.2"

Disable Secure Shell (SSH) version 1.

# Service Query
banner:"SSH-1"

Hardening Systems & Devices: Protocols and Management Processes: Network Defenders

Disable any unnecessary, unused, exploitable, or plaintext services and protocols, such as Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c

# Service Query
protocol:telnet OR protocol:ftp OR protocol:tftp OR banner:"SSH-1" OR (protocol:http AND NOT protocol:tls) OR protocol:snmp1 OR protocol:snmp2 OR protocol:snmp2c

Conduct port-scanning and scanning of known internet-facing infrastructure

# Service Query
has_public:t

The Final Word

The Typhoon threat is real, but with runZero, you don’t have to weather the storm alone. Whether you’re facing state-sponsored attackers like Salt Typhoon or just trying to get a handle on your sprawling network, runZero does more than uncover what’s hiding in your network—we redefine what’s possible in exposure management. Our agentless, credential-free approach means you get instant insights without the hassle. And our advanced fingerprinting technology? It’s second to none, giving you detailed device profiles that competitors can only dream of.

But it’s not just about tech; it’s about speed and adaptability. As networks grow more complex and threats more advanced, runZero ensures you’re always one step ahead of these Typhoons no matter how their tactics evolve. From shadow IT to unmanaged IoT, we uncover everything—because the very things you didn’t know existed are exactly what these attackers are looking for.

Uncover the unmanaged and unknown to meet hidden risk requirements

With the Digital Operational Resilience Act (DORA) set to take effect on January 17th, 2025, financial institutions across the European Union must prepare to meet stringent regulatory requirements. At its core, DORA mandates resilience in Information and Communication Technology (ICT) systems, covering five primary pillars:

1. ICT risk management

2. Incident reporting

3. Resilience testing

4. Third-party risk management

5. Information sharing

While these pillars seem straightforward, the implementation has a hidden complexity in meeting standards: unmanaged and unknown assets. These devices—ranging from decentralized IT assets to unconventional (but highly-interconnected ) IoT and OT devices—are notoriously hard to identify and secure.

Why are these unmanaged and unknown devices such a critical focus of DORA? The answer lies in their profound impact on the regulatory pillars. These assets, often hidden in the shadows of your environment, don’t just represent gaps in visibility—they create vulnerabilities that ripple through every aspect of operational resilience.

Consider this: over 60% of connected devices are invisible to defenders, and unmanaged assets were linked to 7 out of 10 breaches last year. To truly grasp the gravity of this problem, let’s explore how these blind spots hinder compliance across DORA’s relevant pillars—and what it takes to close those gaps effectively.

To truly meet DORA’s requirements, you need complete visibility into your environment. Unmanaged and unknown assets are like puzzle pieces left out of the box; they make it impossible to see the full picture. Discovery and management of all your assets are the true foundation of compliance and resilience. Relying solely on traditional discovery and vulnerability management tools often leaves critical gaps, potentially putting you at risk of non-compliance—or worse, exposing your organization to security threats.

That’s where runZero comes in. Unlike traditional tools, runZero uncovers the unmanaged, unknown, and shadow IT assets that others miss using novel discovery and scanning techniques. In fact, enterprises on average find 25% more assets with runZero than they were previously aware of. Our objective is to provide you with unparalleled visibility across IT, OT, IoT, including those assets that aren’t actively managed. By layering in-depth fingerprinting data and detailed insights into vulnerabilities and exposures, runZero helps you to close those gaps, meet DORA’s requirements with confidence, and build a stronger, more resilient ICT environment.

The high-level overview of how runZero aligns with DORA’s pillars demonstrates its powerful capabilities. However, to truly appreciate its impact, let’s explore how runZero directly maps to specific DORA articles, such as Articles 6, 7, 8, and 9. These articles outline the actionable steps required for ICT risk management, resilience, and collaboration. The section below also illustrates how runZero goes beyond compliance to deliver operational excellence.

Article 6: ICT risk management framework

What DORA requires:

• Develop a framework to identify, assess, and mitigate ICT risks.

• Address risks tied to internal systems, third-party services, and external threats.

Key challenges:

• ICT risk management frameworks often rely on incomplete inventories.

• Without identification of all assets and understanding device interdependencies, assessing impact and mitigation strategies is guesswork.

How runZero helps:

runZero supports the creation and maintenance of ICT risk management frameworks by delivering advanced asset discovery, continuous monitoring of IT, OT, IoT, and unmanaged devices, and identifying vulnerabilities and security control gaps.

1. Complete asset discovery:

   • Identifies all IT, OT, IoT, and unmanaged devices using active scanning, passive scanning, and integrations.

   • Incorporates external scanning to identify assets and monitor risks on the edge, ensuring comprehensive visibility across both internal and external attack surfaces.

   • Accurately and precisely fingerprints assets providing deeper insights for more accurate risk assessment and mitigations.

   • Detects shadow IT and rogue devices not visible to traditional tools.

2. Risk interdependency mapping:

   • Maps relationships between assets, revealing critical dependencies.

   • Identifies single points of failure, such as connections between essential systems and vulnerable third-party services.

3. Risk monitoring:

   • Identifies issues beyond CVEs, such as misconfigurations, segmentation weaknesses, insecure services, EoL, policy violations, etc.

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets without the need for rescanning.

   • Tracks changes in device configurations and interdependencies.

   • Uses safe scanning to identify fragile devices without the risk of disrupting operations.

   • Alerts on deviations, such as newly connected devices or unexpected configuration changes, that introduce new risks.

4. Enriched risk context:

   • Integrates with a broad range of existing security solutions in your stack to provide enriched asset data, improving risk analysis and prioritization.

Outcome:
runZero ensures that your ICT risk management framework is underpinned by a complete and up-to-date view of all assets, enabling precise risk assessment, mitigation, and operational resilience.

Article 7: ICT systems, protocols, and tools

What DORA requires:

• Implement secure ICT systems and tools designed to safeguard the organization’s digital infrastructure from unauthorized access and cyber threats.

• Maintain a complete and continuously updated inventory of ICT assets.

• Conduct regular resilience testing through vulnerability assessments and security audits.

Key challenges:

• Legacy discovery tools fail to capture non-traditional protocols or devices outside standard IT ecosystems.

• Inventory updates are often manual, leading to outdated or incomplete data.

• Testing often overlooks unmanaged or obscure devices, leaving blind spots.

How runZero helps:

With runZero, you gain visibility into your IT, OT, and IoT assets, ensuring every device in your environment is tracked and accounted for. This gives you the deep insight needed to uncover vulnerabilities, misconfigurations, and insecure protocols while mapping interdependencies to reveal hidden security gaps. By spotlighting all assets and exposures, runZero helps you ensure nothing is overlooked, empowering you to make more accurate assessments and build stronger defenses.

1. Complete, up-to-date inventory management:

   • Provides comprehensive visibility into both internal and external assets, including IT, OT, and IoT devices to ensure all systems are tracked.

   • Regularly updates asset data through continuous monitoring, maintaining up-to-date visibility into the network’s infrastructure.

   • Discovers unknown and unmanaged devices that may not have been previously tracked, ensuring that all assets are accounted for.

   • Updates inventories continuously through automated scanning, ensuring accuracy.

2. Informs security of ICT systems, protocols, and tools:

   • Identifies CVEs and non-traditional vulnerabilities, such as insecure services and segmentation weaknesses, that compromise infrastructure.

   • Continuously monitors for new or unexpected devices, ensuring prompt response to unauthorized access attempts.

   • Detects outdated or misconfigured protocols like SMBv1, Telnet, or unencrypted HTTP.

   • Maps interdependencies between systems, helping organizations understand how internal and external assets interact including gaps or deficiencies in security controls and segmentation weaknesses

3. Resilience testing optimization:

   • Ensures that all assets, including hidden and rogue devices, are included in vulnerability assessments and threat-based testing procedures.

   • Supports more accurate threat assessments by continuously updating data on internal and external attack surfaces, even as they change.

   • Provides detailed context for each device, such as OS versions, open ports, and known vulnerabilities (CVEs), to prioritize testing efforts.

4. Third-party tool integration:

   • Integrates with vulnerability management and endpoint security tools to enhance testing scopes and ensure no assets are missed.

Outcome
runZero delivers detailed asset visibility, empowering your teams to secure ICT systems and conduct comprehensive resilience testing with confidence.

Article 8: Identification of critical assets

What DORA requires:

• Identify and prioritize critical ICT assets and services.

• Map interdependencies between systems to understand potential cascading failures.

• Continuously monitor critical assets for emerging risks.

Key challenges:

• Identifying critical assets isn’t just about visibility; it requires understanding each device’s function, connectivity, and risk profile.

• Interdependency mapping is complex, particularly when third-party services or legacy systems are involved.

• Monitoring is often siloed, missing broader network impacts.

How runZero helps:

runZero gives you full visibility into your critical IT, OT, and IoT assets, maps out how they’re connected, and spots risks like vulnerabilities or misconfigurations. By continuously keeping an eye on everything, it helps you stay ahead of threats and keep your most important systems secure.

1. Critical asset discovery:

   • Identifies critical devices and services through advanced fingerprinting techniques.

   • Highlights assets critical to business operations based on their roles and interdependencies.

2. Comprehensive risk mapping:

   • Maps interdependencies across IT, OT, IoT, and third-party systems.

   • Visualizes network connections and highlights cascading risks from single points of failure.

   • Combines detailed internal fingerprinting with external data sources to uncover hidden risks such as shared cryptographic keys, cloned assets, and overlooked misconfigurations that EASM tools miss.

   • Highlights network segmentation issues.

3. Risk prioritization:

   • Assesses vulnerabilities in critical systems, including software versions, configuration issues, and exposure levels.

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets and timely remediation.

   • Assesses and prioritizes externally facing assets as critical, highlighting high-risk targets with vulnerabilities or misconfigurations that could expose the organization to external threats.

   • Flags critical assets with high-risk vulnerabilities or misconfigurations.

4. Continuous monitoring:

   • Tracks changes in critical systems, such as new software vulnerabilities or configuration deviations.

   • Monitors for emerging threats, such as exploits targeting specific device types.

Outcome:
runZero provides a detailed, dynamic understanding of critical assets, their risks, and their interdependencies, enabling your team to make more informed decision-making and proactive risk mitigation.

Article 9: Protection & prevention

What DORA requires:

• Regularly update software and apply security patches.

• Address vulnerabilities promptly to minimize risks across systems.

Key challenges:

• Legacy systems and IoT devices often have unique patching challenges, such as vendor-specific firmware updates.

• Traditional vulnerability management tools struggle to identify end-of-life (EOL) systems or devices with no official CVEs.

How runZero helps:

With runZero, you get actionable insights to identify vulnerabilities, enforce security policies, monitor patch status, and stay ahead of emerging risks—ensuring your protection and prevention measures, from IT to IoT, are secure and compliant.

1. Vulnerability identification:

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets without the need for rescanning.

   • Detects outdated software and unpatched systems across all device types, including OT and IoT.

   • Highlights vulnerabilities in non-traditional assets, such as smart cameras or building management systems.

2. Policy enforcement:

   • Flags misconfigurations, insecure protocols, and policy violations on a continuous basis.

   • Identifies segmentation weaknesses that expose critical systems to lateral movement attacks.

3. Patch monitoring:

   • Tracks patch status for all devices, ensuring critical systems are prioritized.

   • Identifies EOL systems, providing actionable recommendations for replacements or compensating controls.

4. Time-sensitive risk updates:

   • Monitors the external attack surface for vulnerabilities in known or unknown assets exposed on the network edge, ensuring timely detection and mitigation of risks.

   • Continuously monitors for new vulnerabilities or exploits targeting devices in your environment.

   • Alerts on deviations from secure configurations, such as weakened encryption protocols.

Outcome:
runZero empowers your team to proactively manage patching and configuration efforts, ensuring no vulnerabilities are left unchecked—even in unconventional or legacy systems.

runZero: Your Partner in DORA Compliance

Compliance with DORA is a monumental challenge that requires comprehensive asset visibility and continuous exposure management. runZero’s capabilities go beyond traditional solutions, offering financial institutions a unified solution to:

• Discover all assets, including IT, OT, IoT, and unmanaged devices.

• Monitor continuously for new vulnerabilities, changes, and risks across your completed attack surface..

• Provide detailed data to enrich security and compliance workflows.

With runZero, you can bridge the gaps that traditional tools leave behind, ensuring not just compliance, but true resilience against today’s evolving cyber threats.