Chemical facilities alerted over potential data breach by CISA
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed a data breach on its Chemical Security Assessment Tool (CSAT) that occurred between January 23 and 26, 2025. The breach exposed critical and sensitive information related to private sector chemical security plans, potentially affecting the security and safety of numerous chemical facilities and their infrastructure interdependencies.
Exploitation of Ivanti VPN Vulnerabilities
The attackers gained access to the CSAT system by exploiting zero-day vulnerabilities in Ivanti's remote access VPN products, specifically Ivanti Connect Secure and Policy Secure Gateway. These vulnerabilities, identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, allowed for authentication bypass and remote code execution, bypassing authentication controls and enabling remote command execution.
Potentially Compromised Data
The data potentially compromised during the breach includes top-screen surveys, security vulnerability assessments, site security plans, personnel surety program submissions, CSAT user accounts, and other sensitive information. Although the agency has not disclosed specific actions taken by the attackers, the potential compromise of such data underscores the severity of the breach.
Layers of Defense and Notifications
CISA maintained several layers of defense and separation between the exploited Ivanti device and potentially sensitive data. However, the agency cannot rule out that unauthorized access was achieved. As a result, notifications were sent to all potentially impacted organizations due to the breach meeting the threshold of a major incident involving unauthorized access to personally identifiable information of at least 100,000 people under the Federal Information Security Management Act of 2002.
Implications and Future Steps
This incident serves as a reminder of the risks associated with unpatched vulnerabilities in widely-used VPN technology that provides remote access to critical infrastructure tools. It underscores the importance of timely patching and robust access controls. CISA, which is no longer using the affected Ivanti products, has declined to comment on the specific actions taken by the attackers when they accessed the webshell. The CSAT system remains offline until the Chemical Facility Anti-Terrorism Standards program is reauthorized.
[1] Source: CISA Press Release [3] Source: KrebsOnSecurity
- The attackers exploited zero-day vulnerabilities in Ivanti's remote access VPN products to gain access to CISA's Chemical Security Assessment Tool (CSAT) system, specifically Ivanti Connect Secure and Policy Secure Gateway, and the vulnerabilities allowed for authentication bypass and remote code execution.
- The data potentially compromised during the breach includes top-screen surveys, security vulnerability assessments, site security plans, personnel surety program submissions, CSAT user accounts, and other sensitive information, which underscores the severity of the breach and highlights the risks associated with unpatched vulnerabilities in widely-used VPN technology that provides remote access to critical infrastructure tools.
