cbcvebase.
CVE-2023-46805
published 2024-01-12

CVE-2023-46805: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted…

PriorityP197high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-01-22
Exploited in the wild
EPSS
99.99%
100.0th percentile
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Affected

21 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure_and_policy_secure
ivantiics22.6R2 – 22.6R2
ivantiics9.1R18 – 9.1R18
ivantiips22.6R1 – 22.6R1
ivantiips9.1R18 – 9.1R18
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure

Detection & IOCsextracted from sources · hover to see the quote

pathlibsecure.so
domain3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
domainIjbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad.onion
domainKfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion
domainRnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad.onion
domainrrrbay3nf4c2wxmhprc6eotjlpqkeowfuobodic4x4nzqtosx3ebirid.onion
domainrrrbayguhgtgxrdg5myxkdc2cxei25u6brknfqkl3a35nse7f2arblyd.onion
  • ZIPLINE backdoor hijacks the accept() exported function from libsecure.so to intercept incoming network traffic; hunt for unexpected modifications to this shared library on Ivanti Connect Secure appliances.
  • Thinspool dropper writes the Lightwire web shell onto Ivanti CS for persistence; look for the presence of sessionserver.pl and unexpected Perl web shells embedded in legitimate files.
  • Wirefire is a Python-based web shell supporting unauthenticated arbitrary command execution; detect unexpected Python processes or web shell files on Ivanti appliances.
  • Warpwire is a JavaScript-based credential harvester that sends stolen credentials to a C2 server at login; monitor for unexpected JavaScript injected into login pages on Ivanti appliances.
  • Attackers used compromised end-of-life Cyberoam VPN appliances as C2 servers in the same geographic region as targets; correlate outbound connections from Ivanti appliances to Cyberoam device IPs.
  • Attackers covered tracks by overwriting files, time-stomping files, and re-mounting the runtime partition; look for evidence of filesystem remounting as read/write and timestamp anomalies on Ivanti appliances.
  • UNC5221/UTA0178 deployed a GIFTEDVISITOR webshell variant on over 2,100 Ivanti appliances; hunt for GIFTEDVISITOR webshell artifacts on Ivanti Connect Secure systems.
  • CVE-2023-46805 chained with CVE-2024-21887 allows unauthenticated RCE; detect exploitation attempts by monitoring for authentication bypass patterns followed by command injection in web component requests.
  • XMRig cryptocurrency miners and Rust-based malware payloads have been deployed on compromised Ivanti appliances; hunt for XMRig process execution or unexpected Rust binaries on Ivanti systems.
  • ·Ivanti's internal and previous external Integrity Checker Tool (ICT) failed to detect compromise in multiple incident response engagements; do not rely solely on ICT scans to confirm a clean state — use the updated external ICT released by Ivanti.
  • ·Threat actors may maintain root-level persistence on Ivanti appliances even after factory resets; factory reset alone is insufficient for remediation of compromised devices.
  • ·Web shells found on compromised systems showed no file mismatches per Ivanti's ICT, meaning ICT-based file integrity checks cannot be trusted as a sole detection mechanism.
  • ·Exploitation of CVE-2023-46805 began as early as December 3, 2023, well before public disclosure in January 2024; assume any Ivanti Connect Secure appliance exposed since that date may have been compromised.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vulncheck8.3HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.