An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities. 
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B). 
CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.  
CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This determination is based on widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations.
On January 10, 2024, Ivanti released the following information on the vulnerabilities in the affected products:
When exploited in tandem, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on a vulnerable product. Ivanti has released a temporary mitigation through an XML file that can be imported into affected products to make necessary configuration changes until the permanent update is available.
This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation. As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected.
The required actions in this Emergency Directive align with requirements in CISA’s Binding Operational Directive 22-01 and do not conflict with any previous requirements.
Agencies running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions) are required to perform the following tasks:
To fully restore a compromised product and bring it back into service, agencies are also required to follow Ivanti’s instructions and perform the following additional actions on all compromised products:
These required actions apply to agency assets in any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
For federal information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this Directive. Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP Authorized cloud service providers and work directly with service providers that are not FedRAMP Authorized.
All other provisions specified in this Directive remain applicable.
This Emergency Directive remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Directive or the Directive is terminated through other appropriate action.
Visit https://www.cisa.gov/news-events/directives or contact the following for:

source