Researchers from Juniper Threat Labs reported that threat actors are exploiting recently disclosed Ivanti Connect Secure (ICS) vulnerabilities CVE-2023-46805 and CVE-2024-21887<\/a> to drop the payload of the Mirai botnet<\/a>.<\/p>\n\n\n\n
In early January, the software firm reported<\/a> that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.<\/p>\n\n\n\n
\u201cIf CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.\u201d reads the\u00a0advisory<\/a>\u00a0published by Ivanti.<\/em>
Below is the request employed in the attacks observed by the experts:,<\/p>\n\n\n\n
“Others\u00a0have\u00a0observed\u00a0instances in the wild where attackers\u00a0have\u00a0exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems.\u00a0More recently,\u00a0we have\u00a0encountered\u00a0Mirai\u00a0payloads delivered\u00a0through shell scripts.” reads the analysis<\/strong><\/a> published by the experts.<\/em>
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0Mirai botnet)<\/strong>