With news continuing to break regarding a string of critical vulnerabilities in Ivanti VPN products, including a 3rd this week, the speed at which vulnerabilities can move from disclosure to “broad exploitation activity” went yet again on full and unsettling display. The urgency was further driven home when CISA issued an alert for all Federal agencies “as soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.”

The scenario, while headline grabbing, is all too common. Thus begins another race for organizations to determine usage and exposure, and take corrective action. A horde of threat actors is sure to respond immediately and cast a wide net to secure as many footholds on corporate networks as possible for sale to criminal or state sanctioned groups. Some others may also use the chaos as a cover of security team distraction from other weaknesses.

While many will look at the actors most likely to exploit or the race to patch, we decided to ask our Director of Capability Development, Caleb Gross, to plum his expertise on the dynamics of exploit creation and execution and what organizations can do to not only mitigate risk from this event, but also stay focused on minimizing exposure across the business.