⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.. Due date: 2024-01-22.
CVE-2024-21887 — Ivanti Connect Secure: Command Injection in Ivanti Connect Secure
Severity
9.1CRITICALNVD
VulnCheck8.2CISA8.2
EPSS
94.4%
top 0.02%
CISA KEV
KEVRansomware
Added 2024-01-10
Due 2024-01-22
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
KEV addedJan 10
PublishedJan 12
KEV dueJan 22
Latest updateAug 28
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0
Affected Packages4 packages
🔴Vulnerability Details
4💥Exploits & PoCs
3🔍Detection Rules
5Suricata▶
ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)↗2024-02-02
Suricata▶
ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt M2 (CVE-2023-46805, CVE-2024-21887)↗2024-01-22
Suricata▶
ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1↗2024-01-17
Suricata▶
ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1↗2024-01-16
Suricata▶
ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M2↗2024-01-16