cbcvebase.
CVE-2021-44529
published 2021-12-08

CVE-2021-44529: A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-04-15
Exploited in the wild
EPSS
99.11%
99.9th percentile
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager_cloud_services_appliance<= 4.5
ivantiendpoint_manager_cloud_services_appliance

Detection & IOCsextracted from sources · hover to see the quote

path/client/index.php
cookieab=ab; c=cGhwaW5mbygpOw==; d=; e=;
cookiee=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=
cookiee=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=
versionIvanti CSA before 4.6.0-512
  • Detect exploitation attempts by monitoring HTTP GET requests to /client/index.php containing base64-encoded PHP payloads in cookie fields (e.g., cookies named 'c', 'exec') — the PoC uses cookie 'c=cGhwaW5mbygpOw==' which decodes to 'phpinfo();'
  • Alert on HTTP responses to /client/index.php that contain both 'phpinfo()' and 'Cloud Services Appliance' in the body, indicating successful code injection
  • Monitor for the presence of cookie parameter names 'exec' and 'pwn' alongside 'LDCSASESSID' in requests to /client/index.php, which are specific to the public exploit tool
  • Use Shodan/FOFA queries to identify exposed Ivanti CSA instances as attack surface: title:'LANDesk(R) Cloud Services Appliance'
  • Successful exploitation results in command execution as the 'nobody' user; monitor for unexpected process spawning under the 'nobody' account on Linux-based CSA appliances
  • ·The vulnerability affects Ivanti EPM CSA versions before 4.6.0-512 only; version 4.6.0-512 and later are not affected
  • ·Exploitation requires no authentication and no user interaction, making this remotely exploitable by any unauthenticated attacker with network access to the appliance
  • ·CSA 4.5 and 4.6 (EOF August 2021) are both listed as vulnerable in the public exploit; CSA 4.5 is end-of-life and will not receive patches

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.