Ivanti warned on Wednesday that hackers are exploiting another previously undisclosed zero-day vulnerability affecting its widely used corporate VPN appliance.
Since early December, Chinese state-backed hackers have been exploiting Ivanti Connect Secure’s flaws — tracked as CVE-2023-46805 and CVE-2024-21887 — to break into customer networks and steal information.
Ivanti is now warning that it has discovered two additional flaws — tracked as CVE-2024-21888 and CVE-2024-21893 — affecting its Connect Secure VPN product. The former is described as a privilege escalation vulnerability, while the latter — known as a zero-day because Ivanti had no time to fix the bug before hackers began exploiting it — is a server-side bug that allows an attacker access to certain restricted resources without authentication.
In its updated disclosure, Ivanti said it has observed “targeted” exploitation of the server-side bug. Germany’s Federal Office for Information Security, known as the BSI, said in a translated advisory on Wednesday that it has knowledge of “multiple compromised systems.”
The BSI added that the newly discovered vulnerabilities, particularly the server-side bug, “put all previously mitigated systems at risk again.” Ivanti confirmed it expects “a sharp increase in exploitation” once specifics of the vulnerability are made public.
Ivanti has not attributed these intrusions to a particular threat group. Cybersecurity companies Volexity and Mandiant previously attributed the exploitation of the initial round of Connect Secure bugs to a China government-backed hacking group motivated by espionage. Volexity also said it had observed additional hacking groups actively exploiting the bugs.
Ivanti updated its count of affected customers to “less than 20.” When reached by TechCrunch on Wednesday, Kareena Garg, an agency spokesperson representing Ivanti, would not say how many customers are affected by the new vulnerabilities.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
However, Volexity said earlier this month that at least 1,700 Ivanti Connect Secure appliances worldwide had been exploited by the first round of flaws, affecting organizations in the aerospace, banking, defense, government and telecommunications industries, though the number was likely to be far higher.
This is particularly true in light of a CISA advisory released on Tuesday, which warned that attackers had bypassed workarounds for current mitigations and detection methods.
Ivanti’s disclosure of the new zero-day comes on the same day that the company released a patch to protect against the previously disclosed — and subsequently widely exploited — Connect Secure vulnerabilities, albeit a week later than the company had originally planned. Ivanti spokesperson Garg told TechCrunch that the patches also protect against the two new vulnerabilities disclosed on Wednesday.
It’s unclear whether the patch is available to all Ivanti Connect Secure users, as the company previously said that it planned to release the patch on a “staggered” basis starting January 22. Ivanti is now advising that customers “factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.”
State-backed hackers are exploiting new Ivanti VPN zero-days — but no patches yet
