The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed a breach suffered by its Chemical Security Assessment Tool due to an attack exploiting Ivanti zero-day vulnerabilities.

“CISA’s Chemical Security Assessment Tool (CSAT) was the target of a cybersecurity intrusion by a malicious actor from January 23-26, 2024. While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts,” CISA said in an advisory.

The security agency is encouraging individuals with CSAT accounts to reset passwords for any account, business or personal, which used the same password. 

Moreover, CISA also pointed out that it did neither collect nor was authorized to collect the addresses or contact details of individuals vetted under the CFATS Personnel Surety Program. 

Consequently, CISA lacks direct means to contact those individuals whose information was submitted by chemical facilities for terrorist vetting purposes.