The United States Cybersecurity and Infrastructure Security Agency (CISA) has given Federal Civilian Executive Branch agencies 48 hours to rip out all Ivanti appliances in use on federal networks, over concerns that multiple threat actors are actively exploiting multiple security flaws in these systems. The order is part of the supplemental direction accompanying last week’s emergency directive (ED 24-01).

Security researchers say Chinese state-backed cyberattackers known as UNC5221 have exploited at least two vulnerabilities both as zero-days and since disclosure in early January — an authentication bypass (CVE-2023-46895) and a command injection (CVE-2024-21887) flaw — in Ivanti Connect Secure. In addition, Ivanti said this week that a server-side request forgery (CVE-2024-21893) flaw has already been used in “targeted” attacks as a zero day, and it disclosed a privilege-escalation vulnerability in the Web component of Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-21888) that was not yet observed in attacks in the wild.