Ivanti plans to revamp core engineering and security operations to arm against frequent and evolved adversary activities. Credit: Getty Images A day after patching a batch of high-severity vulnerabilities impacting its critical services, Ivanti has made public its plans to revamp security and vulnerability management controls. In an open letter addressed to its customers and partners, Ivanti CEO, Jeff Abbott, said the revamp decision has been made in response to the frequent exploits and security incidents concerning a few of its products. “Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger, and our customers are more secure,” Abbott said in the letter. “We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers.” The IT security software vendor, on Wednesday, patched four critical vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways, the company’s flagship VPN solutions, capable of allowing remote code execution (RCE) and denial of service (DoS) attacks on the affected systems. Ivanti to undergo a security overhaul According to the open letter, published along with a YouTube video by Abbott, Ivanti is planning a transformation of its security operating model which will include revamping core engineering, security, and vulnerability practices, ensuring “secure by design” methodologies for all products, partnering cyberdefence agencies, and ensuring transparent communication with customers and stakeholders. “We are now executing a plan that accelerates security initiatives already underway and implements improved practices to anticipate, prevent, and protect against future threats,” Abbott added. “We have engaged the industry’s most recognized security and product development experts to support the Ivanti team’s review and to provide best-in-class execution guidance, ensuring we meet our commitment to you, so that your organization can work easily, securely, and with confidence.” In addition, the letter points out that Ivanti plans to optimize its products for security which includes accelerating the stack modernization of its Network Security products (Ivanti Connect Secure, Policy Secure, and ZTA) with a “variety of isolation and anti-exploit technologies” to reduce the potential impact of future software defects. Frequently flawed Ivanti products The latest vulnerabilities include heap overflow (CVE-2024-21894 and CVE-2024-22053), Null Pointer Dereference (CVE-2024-22052), and XML entity expansion or XXE (CVE-2024-22023) flaws capable of allowing interaction-less RCE and DoS attacks. The criticality for these flaws ranges from 5.3 to 8.2 CVSS on a scale of 1 to 10. These are only a few of the many flaws hitting Ivanti solutions this year, the most notorious being a couple of zero days discovered in January (CVE-2023-46805 and CVE-2024-21887) that found numerous in the wild, nation-state as well as financially motivated exploitations. Subsequently, the US government agencies were ordered to take Ivanti VPN products offline as per the US Cybersecurity and Infrastructure Security Agency (CISA) directive. It isn’t a surprise that Ivanti should take such measures now to ensure the security of its products in the future. “The challenges we face are not unique in the software industry and we are committed to taking the necessary steps to lead the way for others,” Abbott added. “Threat actors are constantly evolving — know that we will be too.” Related content feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events feature 3 Windows vulnerabilities that may not be worth patching Some vulnerabilities eat up a security team’s time and resources yet provide little or nothing in the way of true protection. Some may even introduce more risk to a network. By Susan Bradley May 01, 2024 7 mins Windows Security Patch Management Software Security Practices news analysis Chinese threat actor engaged in multi-year DNS resolver probing effort The unusual and persistent probing activity over the span of multiple years should be a reminder to organizations to identify and remove all open DNS resolvers from their networks. By Lucian Constantin Apr 30, 2024 7 mins Cyberattacks Network Security news Securiti adds distributed LLM firewalls to secure genAI applications The new offering is aimed at protecting against prompt injection, data leakage, and training data poisoning in LLM systems. By Shweta Sharma Apr 30, 2024 4 mins Generative AI PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe