Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2024-21887

Published: 12/01/2024 Updated: 22/01/2024
CVSS v3 Base Score: 9.1 | Impact Score: 6 | Exploitability Score: 2.3
VMScore: 0
Subscribe to Ivanti

Vulnerability Summary

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

ivanti connect secure 22.1

ivanti connect secure 22.2

ivanti connect secure 9.1

ivanti policy secure 22.2

ivanti policy secure 22.1

ivanti policy secure 9.1

ivanti connect secure 22.5

ivanti connect secure 22.4

ivanti connect secure 22.3

ivanti connect secure 22.6

ivanti policy secure 22.3

ivanti policy secure 22.6

ivanti policy secure 22.5

ivanti policy secure 22.4

ivanti connect secure 9.0

ivanti policy secure 9.0

Vendor Advisories

Check Point Security Alerts: Ivanti Command Injection (CVE-2024-21887)
Check Point Reference: CPAI-2024-0016 Date Published: 18 Jan 2024 Severity: Critical ...
Check Point Security Alerts: Ivanti Command Injection (CVE-2023-46805; CVE-2024-21887)
Check Point Reference: CPAI-2024-0013 Date Published: 11 Jan 2024 Severity: High ...
McAfee Security Bulletin: Volt Typhoon Compromises U.S. Critical Infrastructure (AA24-038A)
Properties Threat Severity High ...
McAfee Security Bulletin: Volt Typhoon Compromises U.S. Critical Infrastructure (AA24-038A)
Properties Threat Severity High ...
McAfee Security Bulletin: Ivanti Connect Secure VPN Zero-Day Vulnerabilities Under Active Exploitation
Properties Threat Severity High ...
McAfee Security Bulletin: Trellix Insights
Properties Threat Severity High ...
McAfee Security Bulletin: Volt Typhoon Compromises U.S. Critical Infrastructure (AA24-038A)
Properties Threat Severity High ...
McAfee Security Bulletin: Volt Typhoon Compromises U.S. Critical Infrastructure (AA24-038A)
Properties Threat Severity High ...
McAfee Security Bulletin: Volt Typhoon Compromises U.S. Critical Infrastructure (AA24-038A)
Properties Threat Severity High ...
McAfee Security Bulletin: Ivanti Connect Secure VPN Zero-Day Vulnerabilities Under Active Exploitation
Properties Threat Severity High ...
McAfee Security Bulletin: Ivanti Connect Secure VPN Zero-Day Vulnerabilities Under Active Exploitation
Properties Threat Severity High ...
McAfee Security Bulletin: Ivanti Connect Secure VPN Zero-Day Vulnerabilities Under Active Exploitation
Properties Threat Severity High ...
McAfee Security Bulletin: Trellix Insights
Properties Threat Severity High ...
McAfee Security Bulletin: Ivanti Connect Secure VPN Zero-Day Vulnerabilities Under Active Exploitation
Properties Threat Severity High ...
McAfee Security Bulletin: Ivanti Connect Secure VPN Zero-Day Vulnerabilities Under Active Exploitation
Properties Threat Severity High ...

Exploits

Exploit DB: Ivanti Connect Secure Unauthenticated Remote Code Execution
This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution All currently supported versions 9x and 22x prior to the vendor mitigation are vulnerable It is unkno ...
Exploit DB: Ivanti Connect Secure Unauthenticated Remote Code Execution
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution All currently supported versions 9x and 22x are vulnerab ...
Exploit DB: Ivanti Connect Secure Unauthenticated Remote Code Execution
This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution All currently supported versions 9x and 22x prior ...
Exploit DB: Ivanti Connect Secure Unauthenticated Remote Code Execution
This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution All currently supported versions 9x and ...

Metasploit Modules

Ivanti Connect Secure Unauthenticated Remote Code Execution

This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.

msf > use exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805
msf exploit(ivanti_connect_secure_rce_cve_2023_46805) > show targets
    ...targets...
msf exploit(ivanti_connect_secure_rce_cve_2023_46805) > set TARGET < target-id >
msf exploit(ivanti_connect_secure_rce_cve_2023_46805) > show options
    ...show and set options...
msf exploit(ivanti_connect_secure_rce_cve_2023_46805) > exploit
Ivanti Connect Secure Unauthenticated Remote Code Execution

This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.

msf > use exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893
msf exploit(ivanti_connect_secure_rce_cve_2024_21893) > show targets
    ...targets...
msf exploit(ivanti_connect_secure_rce_cve_2024_21893) > set TARGET < target-id >
msf exploit(ivanti_connect_secure_rce_cve_2024_21893) > show options
    ...show and set options...
msf exploit(ivanti_connect_secure_rce_cve_2024_21893) > exploit

Github Repositories

https://github.com/oways/ivanti-CVE-2024-21887

POC Checker for ivanti CVE-2024-21887 Command injcetion

ivanti-CVE-2024-21887 POC Checker for ivanti CVE-2024-21887 Command injcetion

https://github.com/TheRedDevil1/Check-Vulns-Script

Here is a script to check vulns CVE-2023-46805 and CVE-2024-21887

Here is a script to check vulns of CVE-2023-46805 and CVE-2024-21887

https://github.com/mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped

CVE-2023-46805_CVE-2024-21887_scan_grouped Multiple path scanner for the two ivanti CVE grouping all the public poc paths

https://github.com/imhunterand/CVE-2024-21887

Ivanti Connect Secure & Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. (RCE Exploits)

CVE-2024-21887 Ivanti Connect Secure &amp; Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance (RCE Exploits)

https://github.com/Chocapikk/CVE-2024-21887

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

🚨 CVE-2024-21887 Exploit Tool πŸ› οΈ A robust tool for detecting and exploiting the CVE-2024-21887 vulnerability in Ivanti Connect and Policy Secure systems πŸ“ Description CVE-2024-21887 is a critical command injection vulnerability, allowing authenticated admins to execute arbitrary commands This tool aids in identifying and interacting with affected systems πŸš€ Feat

https://github.com/seajaysec/Ivanti-Connect-Around-Scan

Mitigation validation utility for the Ivanti Connect Around attack chain. Runs multiple checks. CVE-2023-46805, CVE-2024-21887.

Ivanti Connect Around Vulnerability Checker Ivanti Connect Around Vulnerability Checker Overview Features Types of Checks WEB ACCESS SYSTEM INFO BYPASS DETECTED Status Types Explanation Getting Started Requirements Usage Arguments Target Specification Custom Variables Output Stylization To Do Contribution Guidelines Reporting Issues Submitting Pull Requests Int

https://github.com/jamesfed/0DayMitigations

Practical steps to help mitigate the risk of Zero-Day vulnerabilities

0 Day Mitigations Practical steps to help mitigate the risk of Zero-Day vulnerabilities A presentation delivered to the College IT Conference 2024 As a presentation on YouTube: Coming soon! By James Preston of ANSecurity Personal blog at myworldofitnet Introduction By the end of this presentation you will Understand the common elements in some recent Zero-Day vulnerabili

https://github.com/emo-crab/attackerkb-api-rs

Rust Library for AttackerKB API

Rust Library for Rapid7 AttackerKB API For more details on the API referer to apiattackerkbcom/api-docs/docs Usage Cargotoml: #attackerkb-api-rs = { git = "githubcom/emo-crab/attackerkb-api-rs" } attackerkb-api-rs = { version = "010", features = ["nvd-cves"] } example code use attacke

https://github.com/duy-31/CVE-2023-46805_CVE-2024-21887

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2023-46805 An authentication bypass vulnerability in the web component of Ivanti ICS 9x, 22x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks usage: /CVE-2023-46805sh http(s)://fqdn:port /CVE-2023-46805sh myvpnip:443 notes: chmod +x CVE-2023-46805sh require app curl + json_pp result if vulnerabl

https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887

The script in this repository only checks whether the vulnerabilities specified in the Ivanti Connect Secure product exist.

CVE-2023-46805_CVE-2024-21887 The script in this repository only checks CVE-2023-46805 (Auth Bypass) and CVE-2024-21887 (Remote Code Execution) vulnerabilities specified in the Ivanti Connect Secure product exist You can check vulnerability details this link (labswatchtowrcom/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/) USAGE: Ba

https://github.com/yoryio/CVE-2023-46805_CVE-2024-21887_Scanner

Scanner for CVE-2023-46805 - Ivanti Connect Secure

CVE-2023-46805 Scanner CVE-2023-46805 Scanner for possible vulnerable Ivanti Connect Secure appliances by country using Shodan Script version: 13 Updated with the recent blog post made by Assetnote ⚠️ This script is for defensive purposes and should be used by cybersecurity professionals to identify possible vulnerable ICS appliances and make contact as soon as possible w

https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887

CVE-2024-21893 to CVE-2024-21887 Exploit Toolkit

Introduction 🌐 This repository contains a Python script designed to exploit the SSRF vulnerability (CVE-2024-21893) and command injection vulnerability (CVE-2024-21887) in Ivanti Connect Secure appliances On January 31, 2024, these vulnerabilities were disclosed by Ivanti, and have been actively exploited by chaining them together to achieve unauthenticated remote code exec

https://github.com/yoryio/CVE-2023-46805

Scanner for CVE-2023-46805 - Ivanti Connect Secure

CVE-2023-46805 Scanner CVE-2023-46805 Scanner for possible vulnerable Ivanti Connect Secure appliances by country using Shodan Script version: 13 Updated with the recent blog post made by Assetnote ⚠️ This script is for defensive purposes and should be used by cybersecurity professionals to identify possible vulnerable ICS appliances and make contact as soon as possible w

https://github.com/tucommenceapousser/CVE-2024-21887

exploit for ivanti

🚨 CVE-2024-21887 Exploit Tool πŸ› οΈ A robust tool for detecting and exploiting the CVE-2024-21887 vulnerability in Ivanti Connect and Policy Secure systems πŸ“ Description CVE-2024-21887 is a critical command injection vulnerability, allowing authenticated admins to execute arbitrary commands This tool aids in identifying and interacting with affected systems πŸš€ Feat

Recent Articles

MITRE says state hackers breached its network via Ivanti zero-days
BleepingComputer β€’ Sergiu Gatlan β€’ 19 Apr 2024

MITRE says state hackers breached its network via Ivanti zero-days By Sergiu Gatlan April 19, 2024 03:02 PM 1 The MITRE Corporation says that a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days. The incident was discovered after suspicious activity was detected on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. MITRE has since notified a...

Read more...
New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
BleepingComputer β€’ Bill Toulas β€’ 05 Apr 2024

New Ivanti RCE flaw may impact 16,000 exposed VPN gateways By Bill Toulas April 5, 2024 01:40 PM 0 Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution (RCE) flaw the vendor addressed earlier this week. The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x, potentially allowing unauthenticated users to cause denial of ...

Read more...
Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
BleepingComputer β€’ Sergiu Gatlan β€’ 03 Apr 2024

Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks By Sergiu Gatlan April 3, 2024 01:29 PM 0 IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require use...

Read more...
Ivanti fixes critical Standalone Sentry bug reported by NATO
BleepingComputer β€’ Sergiu Gatlan β€’ 20 Mar 2024

Ivanti fixes critical Standalone Sentry bug reported by NATO By Sergiu Gatlan March 20, 2024 01:08 PM 0 Ivanti warned customers to immediately patch a critical severity Standalone Sentry vulnerability reported by NATO Cyber Security Centre researchers. Standalone Sentry is deployed as an organization's Kerberos Key Distribution Center Proxy (KKDCP) server or as a gatekeeper for ActiveSync-enabled Exchange and Sharepoint servers. Tracked as CVE-2023-41724, the security flaw impacts all supported ...

Read more...
Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
BleepingComputer β€’ Bill Toulas β€’ 09 Mar 2024

Magnet Goblin hackers use 1-day flaws to drop custom Linux malware By Bill Toulas March 9, 2024 10:08 AM 1 Image: Midjourney A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems. 1-day flaws refer to publicly disclosed vulnerabilities for which a patch has been released. Threat actors looking to exploit these flaws must do so quickly before a target can apply security up...

Read more...
CISA warns against using hacked Ivanti devices even after factory resets
BleepingComputer β€’ Sergiu Gatlan β€’ 29 Feb 2024

CISA warns against using hacked Ivanti devices even after factory resets By Sergiu Gatlan February 29, 2024 03:35 PM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who breached Ivanti appliances using one of multiple actively exploited vulnerabilities can maintain root persistence even after performing factory resets. Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on Ivanti Connect Secure...

Read more...
CISA cautions against using hacked Ivanti VPN gateways even after factory resets
BleepingComputer β€’ Sergiu Gatlan β€’ 29 Feb 2024

CISA cautions against using hacked Ivanti VPN gateways even after factory resets By Sergiu Gatlan February 29, 2024 03:35 PM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets. Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on Iv...

Read more...
Number of orgs compromised via Ivanti VPN zero-days grows as Mandiant weighs in
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Snoops had no fewer than five custom bits of malware to hand to backdoor networks

Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team. The software biz disclosed the vulnerabilities in Ivanti Connect Secure (ICS) – the VPN server appliance previously known as Pulse Connect Secure – and its Policy Secure gateways on Wednesday. At the time the biz said someone or some group had already found and exploited the holes. A spokesperson for Ivanti told The Register the victim count was "less t...

Read more...
Ivanti devices hit by wave of exploits for latest security hole
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources At this point you might be better off just shutting the stuff down

Various miscreants are attempting to exploit the latest Ivanti flaw, a server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 that can be used to hijack equipment. That's according to threat hunters tracking the string of CVE-listed security holes plaguing the VPN gateways in recent weeks. Ivanti on January 31 disclosed and began patching CVE-2024-21893, which is present in the SAML component of of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) ap...

Read more...
Ivanti and Juniper Networks accused of bending the rules with CVE assignments
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Critics claim now-fixed vulnerabilities weren't disclosed, flag up grouping of multiple flaws under one CVE

Critics are accusing major tech companies of not sticking to the rules when it comes to registering vulnerabilities with the appropriate authorities. Both Juniper Networks and Ivanti have attracted criticism from members of the infosec industry for the way they've handled the disclosure of vulnerabilities over the past week.  The networking giant was accused of patching security flaws without disclosing them as standalone vulnerabilities, while Ivanti was called out for seemingly bundling m...

Read more...
Ivanti commits to secure-by-design overhaul after vulnerability nightmare
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources CEO addresses whirlwind start to 2024 and how it plans to prevent a repeat

Ivanti has committed to adopting a secure-by-design approach to security as it gears up for an organizational overhaul in response to the multiple vulnerabilities in Connect Secure exploited earlier this year. CEO Jeff Abbott penned an open letter to Ivanti's customers and partners this week, saying "events in recent months have been humbling," before detailing the various changes Ivanti plans to make. "We will use this opportunity to begin a new era at Ivanti," Abbott's letter reads. "We have c...

Read more...

References

CWE-77https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_UShttp://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.htmlhttps://nvd.nist.govhttps://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.htmlhttps://github.com/oways/ivanti-CVE-2024-21887https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2024-0016.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook