CVE-2024-21762 and Ivanti Flaws: Edge Gateway Scanning Escalates

Persistent Threats Against Edge Infrastructure

Defenders are observing a significant and sustained increase in scanning activity targeting perimeter security devices. According to the latest analysis from the SANS Internet Storm Center, automated probes are actively seeking out unpatched instances of Ivanti and Fortinet gateways. These devices, which are designed to provide secure access to internal networks, have become prime targets for both opportunistic attackers and sophisticated APT groups.

The targeting of edge infrastructure represents a shift in attacker TTP sets. By compromising a gateway, attackers can bypass the traditional network perimeter, often gaining a foothold that is invisible to internal EDR solutions. Once a breach occurs, the lack of visibility at the edge allows for unimpeded Lateral Movement throughout the corporate environment.

Deep Dive: Critical Vulnerabilities Under Fire

Ivanti Connect Secure and Policy Secure Risks

The most prevalent scanning activity revolves around a dangerous exploit chain involving CVE-2023-46805 and CVE-2024-21887. The first CVE is an authentication bypass vulnerability that allows an attacker to access restricted resources. When combined with the second, a command injection flaw, it leads to full RCE.

Implementing an effective Ivanti Connect Secure RCE mitigation strategy requires more than just a simple reboot. Defenders must ensure that the specific XML mitigation files provided by the vendor are applied correctly or, preferably, that the latest firmware updates are installed. Failure to do so leaves the device vulnerable to automated Phishing or direct exploitation attempts that can lead to a full-scale Ransomware deployment.

FortiOS SSL-VPN CVE-2024-21762 Patch Guidance

In addition to Ivanti, Fortinet devices are under heavy scrutiny. CVE-2024-21762 is a critical out-of-bounds write vulnerability in FortiOS that can be exploited via specially crafted HTTP requests. This vulnerability carries a CVSS score of 9.8, reflecting its high impact and ease of exploitation.

Organizations should follow official FortiOS SSL-VPN CVE-2024-21762 patch guidance by upgrading to the recommended versions (such as FortiOS 7.4.3 or higher). If patching is not immediately possible, disabling the SSL-VPN service is the only reliable way to prevent exploitation of this specific vector. Given that this flaw is often targeted by nation-state actors for Supply Chain Attack entry points, remediation should be treated as a top priority for the SOC.

Detection and Remediation Strategies

How to Detect CVE-2023-46805 Exploit Attempts

Proactive monitoring is essential for identifying active threats. To understand how to detect CVE-2023-46805 exploit activity, security teams should analyze web server logs for unusual requests to specific API endpoints, such as /api/v1/configuration/users/user-roles. Any IoC related to unauthorized access to these paths should trigger an immediate investigation.

Defenders should also consider the following actions:

• Log Ingestion: Ensure all gateway logs are being forwarded to a SIEM for correlation and long-term analysis.
• Integrity Checks: Use the vendor-provided External Integrity Checker (ICT) for Ivanti devices to detect any unauthorized modifications to the file system.
• Zero Trust Implementation: Shift toward a Zero Trust model where the gateway itself is not inherently trusted, and all internal traffic is strictly authenticated and inspected.

By focusing on these edge vulnerabilities and adhering to the MITRE ATT&CK framework for detection, organizations can better defend against the current wave of gateway-focused attacks.