Feb 2, 2024 - Technology

Feds order agencies to disconnect all Ivanti products amid security concerns

Illustration of top down view of opened laptops in a grid pattern.

Illustration: Rae Cook/Axios

Federal agencies have until midnight Friday, Feb. 2 to disconnect all Ivanti Connect Secure and Policy Secure devices under a new emergency directive.

Why it matters: Nation-state and cybercriminal hackers are actively exploiting security flaws in the two Ivanti VPN products — which could allow attackers to bypass authentication protocols and remotely navigate a victim's network.

  • The directive is a sharp escalation from government warnings last month urging agencies to only apply basic mitigations to keep hackers out of their systems.

Driving the news: This week, Ivanti issued a patch for some of the flaws — and shared details about two new critical vulnerabilities in Connect Secure.

Details: The U.S. Cybersecurity and Infrastructure Security Agency ordered agencies to unplug the VPN products in updated guidance Wednesday.

  • To bring the VPNs back online, agencies must complete a factory reset of the products, upgrade to the latest software versions, and force users to reset their passwords.

Threat level: CISA previously estimated that roughly 15 agencies were using vulnerable Ivanti products.

  • It remains unclear which agencies are using Ivanti, but several defense-related agencies are known to be customers.
  • Threat-monitoring platform Shadowserver estimates that hackers had gained access to nearly 390 Ivanti devices as of Wednesday.
Go deeper