```
Attackers are actively exploiting a maximum-severity vulnerability in Ivanti Sentry, the company's secure mobile gateway product, according to a report by BleepingComputer. The flaw, which carries a CVSS score of 9.8 and does not yet have an assigned CVE identifier, allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-facing Sentry instances. No attribution to a specific threat actor or group has been made at this time.
Ivanti disclosed the vulnerability and released a patch prior to the exploitation reports, but the confirmation that threat actors are now leveraging the flaw in real-world attacks significantly elevates the risk for any organisation that has not yet applied the fix. The company has urged customers to patch immediately, stressing that the combination of root-level code execution and Internet exposure creates an exceptionally dangerous attack surface.
A Familiar Pattern for Ivanti Products
The incident fits a troubling pattern that has defined Ivanti's security posture over the past two years. Products sitting at the network perimeter — including Connect Secure and Policy Secure VPN appliances previously targeted through CVE-2023-46805 and CVE-2024-21887 — have repeatedly drawn the attention of both state-sponsored groups and financially motivated attackers. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive in early 2024 ordering federal agencies to disconnect affected Ivanti VPN products after mass exploitation campaigns.
Sentry, which functions as a gateway for managing and securing mobile enterprise traffic, is another perimeter-facing component, and its compromise grants attackers deep access to the networks it protects. Security researchers have consistently warned that edge infrastructure appliances are attractive targets because they often run with elevated privileges, face the public Internet directly, and may not receive the same patching cadence as servers or endpoints within an organisation's internal environment.
What Is Ivanti Sentry?
Ivanti Sentry, formerly known under the MobileIron brand before the company's rebranding, serves as a gateway that enforces security policies on mobile devices connecting to enterprise resources. It sits between mobile clients and back-end infrastructure, handling authentication, compliance checks, and traffic routing. A root-level compromise of this component could allow an attacker to intercept traffic, manipulate policy enforcement, or pivot deeper into corporate networks.
Remediation Steps
Organisations running Ivanti Sentry should take the following steps immediately:
- Apply the latest patch from Ivanti's advisories page. The company has released a fix and published detailed guidance.
- Audit logs for indicators of compromise, looking for unusual process execution, unexpected network connections, or unauthorised configuration changes on Sentry appliances.
- Restrict Internet exposure where possible. If a Sentry instance does not need to be directly reachable from the public Internet, placing it behind additional network controls can reduce attack surface.
- Cross-reference with vulnerability scanners. Check Ivanti's official security advisories for the flaw's identifier and verify that your vulnerability management tools have detection signatures in place. Until a CVE is formally assigned, use the advisory reference to query your scanners and threat intelligence platforms directly.
Why This Matters
The confirmation of active exploitation transforms this vulnerability from a patch-management priority into an incident-response concern. Organisations that treat the fix as routine maintenance risk falling behind adversaries who are already scanning for and compromising unpatched instances.
For IT and security teams, this incident underscores a broader lesson: perimeter-facing security appliances demand the same — or even greater — urgency in patching as the assets they are designed to protect. A gateway that is itself compromised undermines every device and user that trusts it.
根據 BleepingComputer 的報導,攻擊者正在積極利用 Ivanti Sentry(該公司的安全流動閘道產品)中一個最高嚴重性的漏洞。此漏洞的 CVSS 評分為 9.8,目前尚未分配 CVE 標識符,它允許未經身份驗證的攻擊者在互聯網可達的 Sentry 實例上,以根權限執行任意代碼。目前尚未有特定威脅行為者或團體被歸因於此事件。
Ivanti 在漏洞利用報告出現之前已披露此漏洞並發布了修補程式,但確認威脅行為者現正於真實世界的攻擊中利用此漏洞,這大幅提高了任何尚未應用修補程式的機構所面臨的風險。該公司已敦促客戶立即修補,並強調根層代碼執行與互聯網暴露的結合,創造了一個異常危險的攻擊面。
Ivanti 產品的熟悉模式
此事件符合過去兩年來定義 Ivanti 安全態勢的一個令人不安的模式。位於網絡邊界的產品——包括先前透過 CVE-2023-46805 和 CVE-2024-21887 被針對的 Connect Secure 及 Policy Secure VPN 設備——已反覆引起國家級行為者和以經濟利益為動機的攻擊者的關注。美國網絡安全與基礎設施安全局(CISA)在 2024 年初發布緊急指令,命令聯邦機構在大規模漏洞利用活動後,斷開受影響的 Ivanti VPN 產品。
Sentry 作為一個管理及保障流動企業流量的閘道,是另一個面向邊界的組件,其被入侵將使攻擊者能深入存取其保護的網絡。安全研究人員一直警告,邊緣基礎設施設備是誘人的目標,因為它們通常以提升的權限運行,直接面向公共互聯網,並且可能無法獲得與機構內部環境中的伺服器或端點相同的修補週期。
Ivanti Sentry 是什麼?
Ivanti Sentry,在公司品牌重塑之前曾以 MobileIron 品牌聞名,是一個閘道,用於對連接到企業資源的流動設備強制執行安全策略。它位於流動客戶端和後端基礎設施之間,處理身份驗證、合規性檢查和流量路由。對此組件進行根層級的入侵,可能使攻擊者能夠攔截流量、操縱策略執行,或深入企業網絡。
修復步驟
運行 Ivanti Sentry 的機構應立即採取以下步驟:
- 應用 Ivanti 公告頁面上的最新修補程式。該公司已發布修復方案並提供了詳細指南。
- 審計日誌以尋找入侵指標,檢查 Sentry 設備上是否有異常的行程執行、意外的網絡連接或未經授權的配置變更。
- 在可能的情況下限制互聯網暴露。如果 Sentry 實例不需要直接從公共互聯網存取,將其置於額外的網絡控制之後可以減少攻擊面。
- 與漏洞掃描器交叉比對。查看 Ivanti 的官方安全公告以獲取此漏洞的標識符,並驗證您的漏洞管理工具是否已具備檢測簽名。在正式分配 CVE 之前,請使用公告參考編號直接查詢您的掃描器和威脅情報平台。
此事為何重要
確認漏洞被活躍利用,已將此漏洞從一個修補程式管理優先事項轉變為一個事件響應問題。將此修復視為例行維護的機構,面臨落後於已在掃描並入侵未修補實例的對手的風險。
對於資訊科技和安全團隊而言,此事件強調了一個更廣泛的教訓:面向邊界的安全設備在修補方面需要與其旨在保護的資產相同——甚至更高——的緊迫性。一個本身被入侵的閘道,將危及信任它的每一個設備和用戶。