CISA Orders Immediate Disconnection of Vulnerable Ivanti VPNs

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical directive mandating U.S. federal agencies to take immediate action to secure their networks against actively exploited vulnerabilities in Ivanti Connect Secure and Policy Secure VPN appliances.

Key Developments

• CISA’s supplemental direction follows Emergency Directive 24-01, urging Federal Civilian Executive Branch agencies to secure Industrial Control Systems (ICS) and Intrusion Prevention Systems (IPS) against two zero-day flaws.
• Threat actors have been exploiting CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti appliances since December, with an additional zero-day (CVE-2024-21893) also actively targeted.
• Ivanti released patches for affected software versions and provided mitigation instructions, including a recommendation to factory reset vulnerable appliances before applying patches.
• As of January 31, over 22,000 Ivanti ICS VPNs are exposed online, with almost 390 compromised devices globally.

CISA’s Mandate: Disconnect and Secure

In response to the “substantial threat,” CISA has directed federal agencies to disconnect all instances of Ivanti Connect Secure and Policy Secure from their networks. The deadline for this action is 11:59 PM on Friday, February 2.

Post-Disconnection Protocols

1. Agencies must search for signs of compromise on systems linked to or recently connected to the disconnected Ivanti devices.
2. Continued monitoring of authentication services, isolation of enterprise systems, and auditing of privilege-level access accounts is mandatory.

Recovery Procedures

To bring Ivanti appliances back online, agencies must follow a structured recovery process:

1. Export appliance configurations.
2. Perform a factory reset.
3. Rebuild using patched software versions.
4. Reimport the backed-up configurations.
5. Revoke all connected or exposed certificates, keys, and passwords.

Account Compromise Mitigation

Federal agencies impacted by Ivanti products must assume account compromise and take additional measures:

1. Disable joined/registered devices (in cloud environments).
2. Conduct a double password reset for all accounts (in hybrid setups).
3. Revoke Kerberos tickets and cloud tokens.

Reporting and Compliance

Agencies must report their status on all required actions to CISA using the provided CyberScope template. Updates on progress are required upon CISA’s request or completion of all mandated actions.

This Supplemental Direction remains in effect until CISA determines full compliance or takes other appropriate action.