Ivanti researchers this week flagged two zero-day vulnerabilities discovered in its products — CVE-2023-46805 and CVE-2024-21887— that are already being actively exploited by threat actors.

The vulnerabilities were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways, and the vulnerabilities affect all supported versions (Version 9.x and 22.x). Volexity assisted in identifying and reporting the issues in Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways.

CVE-2023-46805 is an authentication bypass vulnerability that allows threat actors to access restricted materials remotely and has a CVSS rating of 8.2. CVE-2024-21887, with a CVSS rating of 9.1, is a command injection vulnerability that allows authenticated admins to send unique requests as well as execute arbitrary commands.