cbcvebase.
CVE-2024-21887
published 2024-01-12

CVE-2024-21887: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated…

PriorityP196critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-01-22
Exploited in the wild
EPSS
100.00%
100.0th percentile
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Affected

21 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure_and_policy_secure
ivantiics22.6R2 – 22.6R2
ivantiics9.1R18 – 9.1R18
ivantiips22.6R1 – 22.6R1
ivantiips9.1R18 – 9.1R18
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure

Detection & IOCsextracted from sources · hover to see the quote

pathlibsecure.so
  • ZIPLINE passive backdoor hijacks the accept() exported function from libsecure.so to intercept incoming network traffic; look for unexpected modifications to this shared library on Ivanti Connect Secure appliances.
  • Thinspool dropper writes the Lightwire web shell onto Ivanti CS for persistence; hunt for unexpected Perl web shells embedded in legitimate files on the appliance.
  • Wirefire is a Python-based web shell supporting unauthenticated arbitrary command execution; detect unexpected Python CGI/web processes spawned from the Ivanti web server.
  • Warpwire is a JavaScript credential harvester that sends stolen credentials to a C2 server at login; monitor outbound HTTP/S traffic from the Ivanti login page for anomalous POST requests to external hosts.
  • Attackers used compromised end-of-life Cyberoam VPN appliances as C2 servers in the same geographic region as targets to evade detection; flag outbound connections from Ivanti appliances to Cyberoam VPN IP ranges.
  • CVE-2024-21887 is chained with CVE-2023-46805 (auth bypass) to achieve unauthenticated RCE; detect exploitation attempts targeting the authentication bypass endpoint followed by command injection in web component requests.
  • UNC5221 deployed a GIFTEDVISITOR webshell variant on over 2,100 Ivanti appliances; scan web-accessible directories on Ivanti Connect Secure for the GIFTEDVISITOR webshell.
  • Attackers deployed XMRig cryptocurrency miners and Rust-based malware payloads on compromised Ivanti appliances; monitor for XMRig process execution or outbound mining pool connections from Ivanti devices.
  • ·Ivanti's internal and previous external Integrity Checker Tool (ICT) failed to detect compromise in multiple incident response engagements; do not rely solely on ICT scans to confirm a clean state.
  • ·Web shells found on compromised systems showed no file mismatches according to Ivanti's ICT, meaning ICT results cannot be trusted as a definitive indicator of a clean appliance.
  • ·Threat actors may gain root-level persistence between factory resets; factory reset alone is not sufficient to guarantee removal of compromise on Ivanti Connect Secure and Policy Secure appliances.
  • ·Exploitation of CVE-2024-21887 has been observed since early December 2023, well before public disclosure in January 2024; assume any Ivanti Connect Secure or Policy Secure appliance exposed to the internet during this window may be compromised.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
osv5.5MEDIUM
vulncheck8.3HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.