Agencies Receive New CISA Mandate to Patch Active Exploits in Ivanti Software

The Cybersecurity and Infrastructure Security Agency has ordered government agencies to immediately work to mitigate two actively exploited vulnerabilities in Ivanti’s Connect Secure and Policy Secure products.

Implementing Emergency Directive 24-01 is mandatory for federal civilian executive branch agencies and strongly recommended for other organizations using such products, CISA said Friday.

The agency said issuing an emergency directive was necessary given the vulnerabilities’ prevalence across federal systems and the potential impact of compromise.

Attackers could use the exploits to move laterally across a network, steal data and establish persistent access, CISA explained.

The agency added that it would assess and support agencies’ compliance with the emergency directive.

In 2023, CISA and the Norwegian National Cyber Security Centre issued a joint cybersecurity advisory on another actively exploited vulnerability in a different Ivanti product. The security flaw allowed attackers to compromise a Norwegian government agency network and steal information from several businesses.