CVE-2021-44529
published 2021-12-08CVE-2021-44529: A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-04-15
Exploited in the wild
EPSS
99.11%
99.9th percentile
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager_cloud_services_appliance | <= 4.5 | — |
| ivanti | endpoint_manager_cloud_services_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP GET requests to /client/index.php containing base64-encoded PHP payloads in cookie fields (e.g., cookies named 'c', 'exec') — the PoC uses cookie 'c=cGhwaW5mbygpOw==' which decodes to 'phpinfo();' ↗
- →Alert on HTTP responses to /client/index.php that contain both 'phpinfo()' and 'Cloud Services Appliance' in the body, indicating successful code injection ↗
- →Monitor for the presence of cookie parameter names 'exec' and 'pwn' alongside 'LDCSASESSID' in requests to /client/index.php, which are specific to the public exploit tool ↗
- →Use Shodan/FOFA queries to identify exposed Ivanti CSA instances as attack surface: title:'LANDesk(R) Cloud Services Appliance' ↗
- →Successful exploitation results in command execution as the 'nobody' user; monitor for unexpected process spawning under the 'nobody' account on Linux-based CSA appliances ↗
- ·The vulnerability affects Ivanti EPM CSA versions before 4.6.0-512 only; version 4.6.0-512 and later are not affected ↗
- ·Exploitation requires no authentication and no user interaction, making this remotely exploitable by any unauthenticated attacker with network access to the appliance ↗
- ·CSA 4.5 and 4.6 (EOF August 2021) are both listed as vulnerable in the public exploit; CSA 4.5 is end-of-life and will not receive patches ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wg22-f643-fv8w: A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited
ghsa_unreviewed·2021-12-09
CVE-2021-44529 [CRITICAL] CWE-94 GHSA-wg22-f643-fv8w: A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
VulnCheck
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-44529 [CRITICAL] CWE-94 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).
Affected: Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/; https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spider-ransomware/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://veriti.ai/blog/vuln
CISA
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
cisa·2024-03-25·CVSS 9.8
CVE-2021-44529 [CRITICAL] CWE-94 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
Vulnerability: Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
Affected: Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA)
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US; https://nvd.nist.gov/vuln/detail/CVE-2021-44529
Remediation Due Date: 2024-04-15
Ivanti
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
vendor_ivanti·2024-03-25·CVSS 9.8
CVE-2021-44529 [CRITICAL] Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).
CVE IDs: CVE-2021-44529
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2024-04-15
Known to be used in ransomware campaigns.
Suricata
ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Response (CVE-2021-44529)
suricata·2025-02-05·CVSS 9.8
CVE-2021-44529 [CRITICAL] ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Response (CVE-2021-44529)
ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Response (CVE-2021-44529)
Rule: alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Response (CVE-2021-44529)"; flow:established,to_client; flowbits:isset,ET.CVE-2021-44529.Request; http.stat_code; content:"200"; http.response_body; content:"|3c|c123|3e|"; startswith; fast_pattern; content:"|3c 2f|c123|3e|"; distance:0; reference:url,attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529; reference:cve,2021-44529; classtype:attempted-admin; sid:2059892; rev:1; metadata:affected_product Ivanti, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_02_05, cve CVE_2021_44529, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact
Suricata
ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Access Attempt (CVE-2021-44529)
suricata·2025-02-05·CVSS 9.8
CVE-2021-44529 [CRITICAL] ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Access Attempt (CVE-2021-44529)
ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Access Attempt (CVE-2021-44529)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPM Cloud Services Appliance Backdoor Access Attempt (CVE-2021-44529)"; flow:established,to_server; flowbits:set,ET.CVE-2021-44529.Request; http.method; content:"GET"; http.uri; content:"/client/index.php"; http.cookie; content:"|3d|ab|3b 20|"; fast_pattern; pcre:"/^.+(?:c3lzdGVt|N5c3Rlb|zeXN0ZW|PD9waH|w\x2fcGhw|8P3Boc|cGhwaW5mb|BocGluZm|waHBpbmZv)/R"; reference:url,attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529; reference:cve,2021-44529; classtype:attempted-admin; sid:2059891; rev:2; metadata:affected_product Ivanti, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_02_05, cve CVE_2021_44529,
Exploit-DB
Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
exploitdb·2022-03-22·CVSS 9.8
CVE-2021-44529 [CRITICAL] Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
---
# Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
# Date: 20/03/2022
# Exploit Author: d7x
# Vendor Homepage: https://www.ivanti.com/
# Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6
# Version: CSA 4.6 4.5 - EOF Aug 2021
# Tested on: Linux x86_64
# CVE : CVE-2021-44529
###
This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz):
https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US
Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies
@d7x_real
https://d7x.promiselabs.net
https://www.promiselabs.net
###
# cat /etc/passwd
curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V
Metasploit
Ivanti Cloud Services Appliance (CSA) Command Injection
metasploit
Ivanti Cloud Services Appliance (CSA) Command Injection
Ivanti Cloud Services Appliance (CSA) Command Injection
This module exploits a command injection vulnerability in the Ivanti Cloud Services Appliance (CSA) for Ivanti Endpoint Manager. A cookie based code injection vulnerability in the Cloud Services Appliance before `4.6.0-512` allows an unauthenticated user to execute arbitrary code with limited permissions. Successful exploitation results in command execution as the `nobody` user.
Nuclei
Ivanti EPM Cloud Services Appliance Code Injection
nuclei·CVSS 9.8
CVE-2021-44529 [CRITICAL] Ivanti EPM Cloud Services Appliance Code Injection
Ivanti EPM Cloud Services Appliance Code Injection
Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512 is susceptible to a code injection vulnerability because it allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
Template:
id: CVE-2021-44529
info:
name: Ivanti EPM Cloud Services Appliance Code Injection
author: duty_1g,phyr3wall,Tirtha
severity: critical
description: Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512 is susceptible to a code injection vulnerability because it allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
impact: |
Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system.
remediation: |
Appl
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Crowdstrike
The Anatomy of an ALPHA SPIDER Ransomware Attack
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] The Anatomy of an ALPHA SPIDER Ransomware Attack
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Greynoiseio
NoiseLetter February 2024
blogs_greynoiseio
NoiseLetter February 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Practical Vulnerability Archaeology Starring Ivanti's CVE-2021-44529
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Practical Vulnerability Archaeology Starring Ivanti's CVE-2021-44529
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
[███████] Remote Code Execution at ██████ [CVE-2021-44529] [HtUS]
hackerone·2023-01-06·CVSS 9.8
CVE-2021-44529 [CRITICAL] [███████] Remote Code Execution at ██████ [CVE-2021-44529] [HtUS]
[███████] Remote Code Execution at ██████ [CVE-2021-44529] [HtUS]
**IP Address used to find vulnerability:**
`██████`
**Vulnerable Website URL or Application:**
`https://████`
`pomcldsvr2.████`
**Proof of ownership:**
███
**Summary:**
The server at `https://███` is running a vulnerable version of CSA.
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
**Steps to Reproduce:**
Use Burp Repeater to send the following GET requests:
*Please note that for the system commands to run, they need to be Base64 encoded. For example, for phpinfo, pass cGhwaW5mbygpOw==*
- For phpinfo()
````
GET /client/index.php HTTP/1.1
Host: ███████
User-Agent: Mozilla/5.0 (Windows
http://packetstormsecurity.com/files/166383/Ivanti-Endpoint-Manager-CSA-4.5-4.6-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170590/Ivanti-Cloud-Services-Appliance-CSA-Command-Injection.htmlhttps://forums.ivanti.com/s/article/SA-2021-12-02http://packetstormsecurity.com/files/166383/Ivanti-Endpoint-Manager-CSA-4.5-4.6-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170590/Ivanti-Cloud-Services-Appliance-CSA-Command-Injection.htmlhttps://forums.ivanti.com/s/article/SA-2021-12-02https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44529
2021-12-08
Published
2024-03-25
Added to CISA KEV
Exploited in the wild