An emergency vulnerability has emerged in Ivanti products and appliances, and it has sent many service providers, especially those in the federal space, in a rush to close their gaps and respond as best they can.
This article covers the incident, the government’s response, and what it means for service providers.
The latest findings of the last two weeks highlight some vulnerabilities associated with Ivanti products that capture most of the attention of cybersecurity entities such as the Cybersecurity and Infrastructure Security Agency (CISA).
An XML external entity injection (XXE) vulnerability (CVE-2024-22024) has been found, affecting supported versions of Ivanti Connect Secure, ZTA, and Policy Secure products. Ivanti issued software updates on February 8, 2024, mitigating this and many other reported vulnerabilities:
In addition, the company reports active exploitation of Ivanti Connect Secure and Ivanti Policy Secure appliances, broad usage, and against the international environment for businesses of small to large size, including Fortune 500 companies. The vulnerabilities have compromised about 1,700 devices, while about 7,000 are still vulnerable. In mitigation, Ivanti has provided workarounds and advised the user to monitor network traffic for malicious activity while waiting for patching.
Given these critical vulnerabilities and their widespread exploitation, CISA has issued Emergency Directive 24-01, requiring all federal civilian agencies to implement specific actions immediately and vendor-provided mitigation guidance to address the vulnerabilities in these Ivanti appliances. This directive further points out the high risks these vulnerabilities pose to federal government systems and, by extension, those systems of all entities that use the mentioned products. This directive from CISA underscores the urgency for adopting mitigation measures to protect against potential compromise.
According to Ivanti, individuals and organizations using its products should comply with the recommendations put forward by Ivanti and CISA, apply the relevant patches and updates, and watch out for compromise.
What Is CISA Emergency Directive 24-01?
Emergency Directive 24-01 addresses the urgent need to mitigate vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances due to widespread and active exploitation by malicious cyber threat actors. This directive is primarily aimed at Federal Civilian Executive Branch (FCEB) agencies, but CISA strongly encourages all organizations using these Ivanti products to implement the recommended mitigations.
The directive was issued in response to two specific vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which allow attackers to move laterally across networks, perform data exfiltration, and establish persistent system access–essentially, to behave as Advanced Persistent Threats (APTs). Given the significant risks posed by these vulnerabilities to the security of federal systems and the broader community, the directive mandates immediate, specific actions and the implementation of vendor-provided mitigation guidance for these Ivanti appliances.
As part of the directive, federal agencies must disconnect affected Ivanti products from their networks and follow a series of steps to bring them back into service securely. These steps include:
- Exporting configuration settings
- Performing a factory reset
- Rebuilding the device
- Upgrading to a supported software version, and
- Reimporting their configuration.
Additionally, agencies must revoke and reissue any connected or exposed certificates, keys, and passwords.
CISA’s actions in response to the directive include providing templates for reporting agency actions, continuing efforts to identify instances and potential compromises, offering technical assistance to agencies, and providing a comprehensive report on the cross-agency status of the directive’s implementation.
CISA also updated its guidance to include new vulnerabilities and software updates provided by Ivanti, highlighting the need for continuous vigilance and implementing software updates and mitigations as they become available. This provides guidance for dealing with a newly disclosed XXE vulnerability (CVE-2024-22024).
How Does This Impact Cloud Providers Under FedRAMP?
Cloud Service Providers must review and implement actions described in Emergency Directive 24-01 if they maintain federal information, ensuring compliance with FedRAMP requirements. Actions include uploading responses to a FedRAMP reporting template in the incident response folder of their FedRAMP secure repository by specified deadlines. Upon action completion, CSPs must notify agency customer Authorizing Officials and the FedRAMP PMO. This ensures CSPs align with FedRAMP and CISA directives to mitigate vulnerabilities effectively.
What Are XML External Entity Attacks?
XML External Entity (XXE) injection is a type of attack against applications that parse XML input. This attack occurs when an XML parser processes input containing a reference to an external entity (a document outside the current page’s scope). If an application is vulnerable to XXE attacks, attackers can exploit this by including malicious content in the XML data, attempting to trick the parser into executing unintended operations. These operations can involve accessing local or remote content, interacting with other systems in a way that can compromise security, or even execute arbitrary code depending on the application’s configuration and the environment.
The core of an XXE attack is the XML feature that allows an XML document to define entities, which are shortcuts to larger content blocks. These entities can be defined within the document or as references to external sources. In a typical XXE attack, an attacker would define or manipulate these entities in a way that causes the XML parser to access unauthorized resources.
XXE vulnerabilities can lead to various impacts, such as:
- Disclosure of confidential data by including file references in the entity the XML parser will access and include in the processed output.
- Denial of Service (DoS), by referencing entities that consume system resources excessively.
- Server-side request forgery (SSRF) makes the XML parser send requests to unintended locations.
- Port scanning and other internal network reconnaissance from the perspective of the application’s server.
Mitigating XXE attacks typically involve:
- Disabling external entities in the XML parser configuration.
- Using less complex data formats such as JSON, which do not support document type definitions and are not vulnerable to XXE attacks.
- Keeping software and libraries up to date to ensure any security patches for known XXE vulnerabilities are applied.
- Validating and sanitizing all input data ensures it does not contain malicious XML entities.
Developers and security teams should be aware of XXE vulnerabilities, especially when working with applications that accept XML input, to protect against potential data breaches and system compromises.
Respond Quickly to the Latest Vulnerabilities with Lazarus Alliance
If you are a CSP or other provider handling the fallout of the Ivanti security vulnerability, particularly in the federal space, then Lazarus Alliance can help with extensive services including:
- FedRAMP
- StateRAMP
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
