CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration., (Tue, Jun 23rd)
Summary
CVE-2024-40766, a vulnerability identified in Ivanti Connect Secure and Ivanti Policy Secure gateways, has been patched by the vendor. However, the article highlights that simply applying the patch is insufficient if the underlying configuration issues that enabled the exploit remain unaddressed.
IFF Assessment
This article discusses a patched vulnerability that could still be exploited due to misconfiguration, posing an ongoing risk to defenders.
Severity
The CVSS score is estimated based on the description of a critical vulnerability in network access control devices that, if unpatched or misconfigured, could lead to significant impact. Without precise metrics from the article, a high score is assigned to reflect potential remote code execution and system compromise.
CISA KEV: Listed as actively exploited. Federal patch due: September 30, 2024. Known ransomware use: Known.
Defender Context
Defenders need to be aware that patching vulnerabilities is only one part of the security lifecycle. Configuration management and regular security audits are crucial to ensure that fixes are effective and that systems are not susceptible to exploitation through other means. This case emphasizes the importance of understanding the full attack surface, not just the known vulnerabilities.