Feb 2, 2024 - Technology

Feds order agencies to disconnect all Ivanti products amid security concerns

Sam Sabin

Illustration of top down view of opened laptops in a grid pattern. — Illustration: Rae Cook/Axios

Federal agencies have until midnight Friday, Feb. 2 to disconnect all Ivanti Connect Secure and Policy Secure devices under a new emergency directive.

Why it matters: Nation-state and cybercriminal hackers are actively exploiting security flaws in the two Ivanti VPN products — which could allow attackers to bypass authentication protocols and remotely navigate a victim's network.

The directive is a sharp escalation from government warnings last month urging agencies to only apply basic mitigations to keep hackers out of their systems.

Driving the news: This week, Ivanti issued a patch for some of the flaws — and shared details about two new critical vulnerabilities in Connect Secure.

Details: The U.S. Cybersecurity and Infrastructure Security Agency ordered agencies to unplug the VPN products in updated guidance Wednesday.

To bring the VPNs back online, agencies must complete a factory reset of the products, upgrade to the latest software versions, and force users to reset their passwords.

Threat level: CISA previously estimated that roughly 15 agencies were using vulnerable Ivanti products.

It remains unclear which agencies are using Ivanti, but several defense-related agencies are known to be customers.
Threat-monitoring platform Shadowserver estimates that hackers had gained access to nearly 390 Ivanti devices as of Wednesday.

Add Axios on Google

Feds order agencies to disconnect all Ivanti products amid security concerns

What to read next