CISA Issues Emergency Directive for Ivanti Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-02, requiring all federal agencies to mitigate critical Ivanti Connect Secure vulnerabilities within 48 hours following evidence of widespread exploitation.

Emergency Directive Overview

CISA's directive requires agencies to:

1. Immediately identify all Ivanti Connect Secure instances
2. Apply available mitigations or disconnect devices
3. Reset credentials for all affected users
4. Report compromise indicators within 24 hours

Vulnerabilities Under Exploitation

Two vulnerabilities are being actively chained:

CVE-2026-0178 (Critical - CVSS 10.0)

• Type: Authentication bypass
• Impact: Unauthenticated access to admin interface
• Exploited: Yes, in the wild

CVE-2026-0179 (High - CVSS 8.2)

• Type: Command injection
• Impact: Remote code execution
• Exploited: Yes, chained with CVE-2026-0178

Attack Campaign Details

Mandiant's threat intelligence indicates:

• Attribution: Multiple threat actors, including nation-states
• Targets: Government, defense, critical infrastructure
• Goal: Persistent access for espionage
• Scope: Thousands of devices compromised globally

Timeline

• Jan 8: Ivanti notified of vulnerabilities
• Jan 10: Patches released
• Jan 12: Active exploitation confirmed
• Jan 14: CISA emergency directive issued
• Jan 15: Exploitation reaches mass scale

Affected Products

Detecting Compromise

Integrity Checker Tool

Ivanti released an integrity checking tool:

# Run Ivanti's ICT tool
# Download from Ivanti security portal
./IntegrityCheckerTool.sh

Indicators of Compromise

Check for:

# Suspicious files
/data/runtime/tmp/*.py
/home/perl/*.pm
/data/runtime/cockpit/webserver/*
 
# Modified binaries
/home/bin/curl
/home/bin/compcheckresult.cgi
 
# Suspicious processes
perl -e '...'
python /tmp/*.py

Log Analysis

# Review for unusual patterns:
- Authentication from unexpected locations
- Admin access at unusual times
- Large data transfers
- New admin accounts created

Mitigation Steps

If Patches Available

1. Apply patches immediately
2. Reset all user passwords
3. Revoke and reissue certificates
4. Review access logs

If Patches Not Yet Applied

1. Implement mitigation XML (from Ivanti)
2. Disable external access if possible
3. Enable enhanced logging
4. Monitor for IoCs

If Compromise Suspected

1. Isolate the device immediately
2. Preserve forensic evidence
3. Assume all credentials compromised
4. Report to CISA (federal) or FBI IC3

Impact Assessment

Compromised VPN appliances provide attackers:

• Access to internal networks
• Visibility into VPN user credentials
• Platform for lateral movement
• Persistence mechanism
• Intelligence on network architecture

CISA Resources

CISA has published:

• Technical mitigation guidance
• Forensic analysis playbook
• Indicator of compromise list
• Recovery procedures

Recommendations for All Organizations

Even non-federal organizations should:

1. Inventory all Ivanti products
2. Patch or mitigate immediately
3. Hunt for signs of compromise
4. Prepare for credential reset
5. Monitor for unusual activity

Expert Analysis

"This is one of the most significant VPN vulnerabilities we've seen since the SolarWinds campaign," stated a Mandiant researcher. "Organizations need to assume they may be compromised and act accordingly."

Sources: CISA, Mandiant, Ivanti Security Advisory