"by modifying a JavaScript file used by the Web SSL VPN component of ICS"
Guess what? Javascript yet again. When will this lethal zero-security language be abandoned?
Security experts believe Chinese nation-state attackers are actively exploiting two zero-day vulnerabilities in security products made by Ivanti. If you're an admin or a user of the two products affected, VPN service Ivanti Connect Secure (ICS) and network access control toolkit Policy Secure, you should immediately apply the …
There's nothing wrong with the language; the problem lies with the cretins who decide to use it for purposes it wasn't intended for.
A plastic latch is fine for preventing your toddler from opening kitchen cabinets, but a sane person wouldn't use it as the lock to the front door of their house.
You would expect an ostensibly high profile (certainly high price) security product provider to have a little more sense, but evidently not.
This is being handled very poorly by Ivanti. No sign of any patched OS versions, despite a number being meant to have been released this week. They are advising people to upgrade from older point versions to the latest release train, but aren't planning on releasing the patched version of the latest release train until the second wave of patches is released. Arse meet elbow.