Current Activity

Note: CISA will update this Alert with more information as it becomes available.

Updated Jan. 31, 2024:

CISA urges organizations to follow the updated guidance—including software updates—that Ivanti has published to their KB article, which includes:

• Two additional vulnerabilities in all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways:
  • A privilege escalation vulnerability (CVE-2024-21888)
  • A server-side request forgery vulnerability (CVE-2024-21893)
• A cyber threat actor could exploit CVE-2024-21888 and CVE-2024-21893 to take control of an affected system. Ivanti’s KB article includes software updates that cover these vulnerabilities in specific versions of the software as well as mitigations for affected software versions that do not yet have updates.
• Software updates are also available for the previously reported Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887). Note: See the KB article for the specific versions that these updates apply to as well as specific guidance on implementing the updates. Ivanti will publish additional information and software updates to the KB article as these become available.

Additionally, CISA has issued a Supplemental Direction to its Emergency Directive on Ivanti Vulnerabilities. Although the Supplemental Direction and Emergency Directive are only for FCEB agencies, CISA strongly encourages all organizations to review the guidance and implement it as applicable.

End of Jan. 31 update

CISA is releasing this alert to provide cyber defenders with new mitigations to defend against threat actors exploiting Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887).  

Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.  

If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to—or recently connected to—the Ivanti device. Additionally, organizations should monitor authentication, account usage, and identity management services that could be exposed and isolate the system(s) from any enterprise resources as much as possible.  

After applying patches, when these become available, CISA recommends that organizations continue to hunt their network in order to detect any compromise that may have occurred before patches were implemented.  

This guidance supplements CISA’s previous guidance for mitigation and detection, which remains applicable. For previous guidance, see CISA Issues Emergency Directive on Ivanti Vulnerabilities and Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways. 

CISA released eight Industrial Control Systems (ICS) advisories on January 30, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-030-01 Emerson Rosemount GC370XA, GC700XA, GC1500XA
• ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products
• ICSA-24-030-03 Mitsubishi Electric MELSEC WS Series Ethernet Interface Module
• ICSA-24-030-04 Hitron Systems Security Camera DVR
• ICSA-24-030-05 Rockwell Automation ControlLogix and GuardLogix 
• ICSA-24-030-06 Rockwell Automation FactoryTalk Service Platform
• ICSA-24-030-07 Rockwell Automation LP30/40/50 and BM40 Operator Interface
• ICSA-23-208-03 Mitsubishi Electric CNC Series (Update E)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Juniper Networks released a security bulletin to address multiple vulnerabilities for J-Web in Junos OS SRX Series and EX Series. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Juniper Bulletin JSA76390 and apply the necessary updates.

Today, CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. Specifically, software producers often need to assemble and test products together before releasing them to customers. These products may contain components that experience version changes over time, therefore creating a need to be tracked. This document serves as a guide for creating the build for SBOM assembled products.  

For more information on all things SBOM, please visit CISA’s Software Bill of Materials website. 

Cisco released a security advisory to address a vulnerability (CVE-2024-20253) affecting multiple Unified Communications Products. A cyber threat actor could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the Cisco Unified Communications Products Remote Code Execution Vulnerability advisory and apply the necessary updates.

CISA released two Industrial Control Systems (ICS) advisories on January 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-025-01 MachineSense FeverWarn
• ICSA-24-025-02 SystemK NVR 504/508/516

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Mozilla has released security updates to address vulnerabilities in Thunderbird and Firefox. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following advisories and apply the necessary updates:

• Thunderbird 115.7
• Firefox ESR 115.7
• Firefox 122

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on Engaging with Artificial Intelligence—joint guidance, led by ACSC, on how to use AI systems securely. The following organizations also collaborated with ACSC on the guidance:

• Federal Bureau of Investigation (FBI)
• National Security Agency (NSA)
• United Kingdom (UK) National Cyber Security Centre (NCSC-UK)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ) and CERT NZ
• Germany Federal Office for Information Security (BSI)
• Israel National Cyber Directorate (INCD)
• Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and the Secretariat of Science, Technology and Innovation Policy, Cabinet Office
• Norway National Cyber Security Centre (NCSC-NO)
• Singapore Cyber Security Agency (CSA)
• Sweden National Cybersecurity Center

The guidance provides AI systems users with an overview of AI-related threats as well as steps that can help them manage AI-related risks while engaging with AI systems. The guidance covers the following AI-related threats:

1. Data poisoning
2. Input manipulation
3. Generative AI hallucinations
4. Privacy and intellectual property threats
5. Model stealing and training data exfiltration
6. Re-identification of anonymized data

Note: This guidance is primarily for users of AI systems. CISA encourages developers of AI systems to review the recently published Guidelines for Secure AI System Development.

To learn more about how CISA and our partners are addressing both the cybersecurity opportunities and risks associated with AI technologies, visit CISA.gov/AI.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-23222 Apple Multiple Products Type Confusion Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released six Industrial Control Systems (ICS) advisories on January 23, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-023-01 APsystems Energy Communication Unit (ECU-C) Power Control Software
• ICSA-24-023-02 Crestron AM-300
• ICSA-24-023-03 Voltronic Power ViewPower Pro
• ICSA-23-023-04 Westermo Lynx 206-F2G
• ICSA-24-023-05 Lantronix XPort
• ICSMA-24-023-01 Orthanc Osimis DICOM Web Viewer

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Apple has released security updates for iOS and iPadOS, macOS, Safari, watchOS, and tvOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Apple security release and apply the necessary updates:

• iOS 17.3 and iPadOS 17.3
• iOS 16.7.5 and iPadOS 16.7.5
• iOS 15.8.1 and iPadOS 15.8.1
• macOS Sonoma 14.3
• macOS Ventura 13.6.4
• macOS Monterey 12.7.3
• Safari 17.3
• watchOS 10.3
• tvOS 17.3

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-34048 VMware vCenter Server Out-of-Bounds Write Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has issued Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities in response to active vulnerabilities in the following Ivanti products: Ivanti Connect Secure and Ivanti Policy Secure.
ED 24-01 directs all Federal Civilian Executive Branch (FCEB) agencies running Ivanti Connect Secure and Ivanti Policy Secure to:

• Implement the mitigations as detailed in the ED.
• Report indications of compromise to CISA.
• Remove compromised products from agency networks and follow the ED’s comprehensive instructions for restoring and bringing the products back into service.
• Apply the updates to the products within 48 hours of Ivanti releasing the updates.
• Provide CISA with a report that includes:
  • A complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks.
  • Details on actions taken and results.

Although this directive is only for FCEB agencies, CISA strongly encourages all organizations to address the vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. For additional details, see CISA’s Alert, Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways, which CISA will update with further mitigations and patches as these become available.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-35082 Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Atlassian released a security advisory to address a vulnerability (CVE-2023-22527) in out-of-date versions of Confluence Data Center and Server as well as its January 2024 security bulletin to address vulnerabilities in multiple products. A malicious cyber actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Atlassian Confluence Vulnerability advisory and Atlassian’s January 2024 Security Bulletin and apply the necessary updates.

Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Oracle’s January 2024 Critical Patch Update Advisory and apply the necessary updates.

CISA released one Industrial Control Systems (ICS) advisory on January 18, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-018-01 AVEVA PI Server

CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.

Citrix released security updates to address vulnerabilities (CVE-2023-6548 and CVE-2023-6549) in NetScaler ADC and NetScaler Gateway. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Citrix CTX584986 Security Bulletin and apply the necessary updates.

Today, CISA, the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency released a joint Incident Response Guide for the Water and Wastewater Systems (WWS) Sector. The guide includes contributions from over 25 WWS Sector organizations spanning private industry, nonprofit, and government entities. This coordination enabled CISA, FBI, and EPA to develop a guide with meaningful value to WWS Sector organizations.

Specifically, the guide provides information about the federal support available at each stage of the cyber incident response (IR) lifecycle and aims to enhance WWS Sector cybersecurity by:

•     Establishing clear guidance for reporting cyber incidents;
•     Connecting utilities with available cybersecurity resources, services, and no-cost trainings;
•     Empowering utilities to build a strong cybersecurity baseline to improve cyber resilience and cyber hygiene; and
•     Encouraging utilities to integrate into their local cyber communities.

CISA, FBI, and EPA urge all WWS Sector and critical infrastructure organizations to review this guidance and incorporate it into their organizational cyber incident response planning. Organizations can visit CISA.gov/water for additional sector tools, information, and resources.