CVE-2024-21888
published 2024-01-31CVE-2024-21888: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate…
PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
86.81%
99.7th percentile
A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | ics | 22.6R2 – 22.6R2 | — |
| ivanti | ics | 9.1R18 – 9.1R18 | — |
| ivanti | ips | 22.6R1 – 22.6R1 | — |
| ivanti | ips | 9.1R18 – 9.1R18 | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-21888 is a privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x) allowing a user to gain administrator-level privileges; no evidence of in-the-wild exploitation confirmed at time of disclosure ↗
- →CVE-2024-21888 is frequently chained with CVE-2024-21893 (SSRF in SAML component); monitor for privilege escalation activity alongside SSRF attempts on Ivanti Connect Secure and Policy Secure gateways ↗
- →Threat actor group UNC5221/UTA0178 (suspected China-nexus espionage) has been observed exploiting related Ivanti CVEs; hunt for webshells, backdoors, and custom malware strains on Ivanti Connect Secure appliances ↗
- →Mandiant identified five custom malware strains deployed in attacks on Ivanti gateways; also look for XMRig cryptocurrency miners and Rust-based malware payloads on compromised systems ↗
- →Scan for Ivanti Connect Secure or Policy Secure software inventory using the CSAM QQL query to identify exposed assets ↗
- →Check Point Harmony IPS signature available for the related SSRF vulnerability CVE-2024-21893 on Ivanti; use as a detection layer for exploitation attempts against Ivanti gateways ↗
- ·CVE-2024-21888 affects all supported versions of Ivanti Connect Secure and Ivanti Policy Secure — versions 9.x and 22.x; patches were released January 31 / February 1, 2024 for versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1 ↗
- ·As of February 15, 2024, over 13,636 Ivanti servers remained unpatched for CVE-2024-21888 and related CVEs out of 24,239 total internet-exposed Ivanti servers, meaning more than half were still vulnerable ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-24gf-6m5f-h6pg: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9
ghsa_unreviewed·2024-01-31
CVE-2024-21888 [HIGH] CWE-269 GHSA-24gf-6m5f-h6pg: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9
A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
VulnCheck
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
vulncheck·2024·CVSS 8.2
CVE-2024-21887 [HIGH] CWE-77 Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://ww
VulnCheck
Ivanti Connect Secure Privilege Escalation
vulncheck·2024·CVSS 8.8
CVE-2024-21888 [HIGH] Ivanti Connect Secure Privilege Escalation
Ivanti Connect Secure Privilege Escalation
A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b; https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/; https://eclypsium.com/blog/salt-typhoon/; https://insights.nccgroup.com/l/898251/2025-01-24/31knsst/898251/1737713506BZGVGklo/TI_Annual_Report_24_d
VulnCheck
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2024·CVSS 8.2
CVE-2024-21893 [HIGH] CWE-918 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
Affected: Ivanti Connect Secure, Policy Secure, and Neurons
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/; https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-C
VulnCheck
Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
vulncheck·2024·CVSS 8.3
CVE-2024-22024 [HIGH] Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wiz.io/blog/ivanti-vulnerabilities-cve-2023-46805-cve-2024-21887-cve-2024-21888-and-cve-2024-21893; https://attackerkb.com/assessments/e3572615-0a93-4e5b-a181-432316d5c6d3; https://twitter.com/collysucker/status/17559
VulnCheck
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
vulncheck·2023·CVSS 8.2
CVE-2023-46805 [HIGH] CWE-287 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.volexity.com/blog/2024/0
Ivanti
Ivanti Connect Secure Privilege Escalation
vendor_ivanti·CVSS 8.8
CVE-2024-21888 [HIGH] Ivanti Connect Secure Privilege Escalation
Ivanti Connect Secure Privilege Escalation
CVE IDs: CVE-2024-21888
Affected products: Connect Secure, Policy Secure
No detection rules found.
No public exploits indexed.
Tenable
Chinese State-Sponsored Actors Compromising Global Networks
blogs_tenable·2025-08-29
Chinese State-Sponsored Actors Compromising Global Networks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
blogs_tenable·2025-04-23
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
blogs_tenable·2025-01-23
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-01-08·CVSS 9.0
[CRITICAL] CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
blogs_tenable·2024-08-28
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Zscaler
Another CVE (PAN-OS Zero Day) | Zscaler
blogs_zscaler·2024-04-12·CVSS 10.0
[CRITICAL] Another CVE (PAN-OS Zero Day) | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bleepingcomputer
Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
blogs_bleepingcomputer·2024-03-09·CVSS 9.8
[CRITICAL] Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Bill Toulas
A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems.
1-day flaws refer to publicly disclosed vulnerabilities for which a patch has been released. Threat actors looking to exploit these flaws must do so quickly before a target can apply security updates.
Though exploits are usually not made available immediately upon a flaw's disclosure, some vulnerabilities are trivial to figure out how to leverage. Additionally, reverse-engineering the patch may reveal the underlying problem and how to exploit it.
Check Point analysts who identified Magnet Goblin report that these threat act
Checkpoint
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
blogs_checkpoint·2024-03-08·CVSS 4.9
CVE-2024-21887 [MEDIUM] Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
## Key Points
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vuln
Bleepingcomputer
Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
blogs_bleepingcomputer·2024-02-15·CVSS 8.2
CVE-2024-22024 [HIGH] Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
## Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
## Bill Toulas
Thousands of Ivanti Connect Secure and Policy Secure endpoints remain vulnerable to multiple security issues first disclosed more than a month ago and which the vendor gradually patched.
The flaws are CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888. Their severity ranges from high to critical and they concern authentication bypass, server-side-request forgery, arbitrary command execution, and command injection problems.
Some of these vulnerabilities have been reported as exploited by nation-state actors before they were being leveraged at a larger scale by a broad range of threat actors.
Starting with CVE-2024-22024, the issue is an XXE vulnerability in the SAML compo
Wiz
Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
blogs_wiz·2024-02-06·CVSS 8.2
CVE-2023-46805 [HIGH] Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
February 9, 2024 update
On February 8, 2024, Ivanti released an advisory for a new authentication bypass high severity vulnerability, CVE-2024-22024 impacting Ivanti Connect Secure (`9.x, 22.x`), Ivanti Policy Secure (`9.x, 22.x`) and ZTA gateways. The flaw in the SAML component of the mentioned products allows an attacker to access certain restricted resources without authentication. On February 9, 2024, the vulnerability has been reported to be exploited in-the-wild.
Customers are advised to patch urgently to the fixed versions: Connect Secure versions `9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2`), Ivanti Policy Secure versions `9.1R17.3, 9.1R18.4, 22.5R1.2` and ZTA gateways versions` 22.5R1.6, 22.6R1.5, 22.6R1.7`.
Wiz customers can use the pre-built query and
Wiz
Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
blogs_wiz·2024-02-06·CVSS 8.2
CVE-2023-46805 [HIGH] Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
9.x, 22.x
9.x, 22.x
9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2
9.1R17.3, 9.1R18.4, 22.5R1.2
22.5R1.6, 22.6R1.5, 22.6R1.7
* ***
On January 10, 2024, Ivanti released an advisory along with mitigation strategies (but no patches) for two vulnerabilities affecting Connect Secure VPN devices: CVE-2023-46805 and CVE-2024-21887. When exploited in tandem, they enable unauthenticated remote code execution, and Ivanti urged immediate customer response. A few days later, researchers announced that they had identified active exploitation of these vulnerabilities as 0-days, dating back to December 2023, and provided details of the related threat activity .
A few weeks later, on January 31, 2024, Ivanti disclosed two more high-severity vulnerabilities: CVE-2024-21888, a pr
Checkpoint
5th February – Threat Intelligence Report
blogs_checkpoint·2024-02-05
CVE-2024-21893 5th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 5th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 5th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
AnyDesk Software GmbH , the company behind the popular remote desktop application, has confirmed a cybersecurity incident in which the attackers gained access to company’s production systems. Reportedly, source code and private code signing keys were stolen during the attack. As part of the response, AnyDesk have revoked
Tenable
Cybersecurity Snapshot: Attackers Hack Routers To Hit Critical Infrastructure, as CISA Calls for More Secure Router Design
blogs_tenable·2024-02-02
Cybersecurity Snapshot: Attackers Hack Routers To Hit Critical Infrastructure, as CISA Calls for More Secure Router Design
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Zscaler
Ivanti VPN Vulnerability | ThreatLabz
blogs_zscaler·2024-02-02·CVSS 8.2
[HIGH] Ivanti VPN Vulnerability | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-31·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti warns of new Connect Secure zero-day exploited in attacks
blogs_bleepingcomputer·2024-01-31·CVSS 8.2
CVE-2024-21893 [HIGH] Ivanti warns of new Connect Secure zero-day exploited in attacks
## Ivanti warns of new Connect Secure zero-day exploited in attacks
## Sergiu Gatlan
Today, Ivanti warned of two more vulnerabilities impacting Connect Secure, Policy Secure, and ZTA gateways, one of them a zero-day bug already under active exploitation.
The zero-day flaw (CVE-2024-21893) is a server-side request forgery vulnerability in the gateways' SAML component that enables attackers to bypass authentication and access restricted resources on vulnerable devices.
A second flaw (CVE-2024-21888) in the gateways' web component allows threat actors to escalate privileges to those of an administrator.
"As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabiliti
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.2
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42
Published: January 16, 2024
High Profile Threats
Vulnerabilities
CVE-2023-46805
CVE-2024-21887
CVE-2024-21888
CVE-2024-21893
CVE-2024-22024
Ivanti
VPNs
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integr
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.3
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tools (ICT) which results in a failure to detect a compromise. They also state that cyber threat actors may be able to maintain root-level persistence despite issuing factory resets.
This CSA also includes guidance on incident response steps. They recommend defenders reset all credentials tha
Qualys
Dual Zero-Day Threats in Ivanti Connect Secure and Policy Secure Gateways – CVE-2023-46805 and CVE-2024-21887
blogs_qualys·2024-01-11·CVSS 8.2
[HIGH] Dual Zero-Day Threats in Ivanti Connect Secure and Policy Secure Gateways – CVE-2023-46805 and CVE-2024-21887
## Table of Contents
The Impact of Dual Zero-Day Threats in Ivanti Connect and Policy Secure Gateways
Vulnerable Versions
How can Qualys assist organizations, and what actions should these organizations undertake?
Conclusion
Contributors
In recent and alarming cybersecurity developments, Volexity researchers have discovered that attackers are exploiting two distinct zero-day vulnerabilities in a coordinated manner to enable unauthenticated remote code execution (RCE). These vulnerabilities are identified as CVE-2023-46805 and CVE-2024-21887, posing a significant threat when combined. Moreover, their severity has been recognized by the Cybersecurity and Infrastructure Security Agency (CISA), leading to their inclusion in the agency’s Known Exploited Vulnerabilities (KEV) catalog. This
Tenable
CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-10·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Zscaler
CISO Monthly Roundup, January 2024: Zero day VPN vulnerabilities, DreamBus, ZLoader, Qakbot, and recent security advisories | CXO Revolutionaries
blogs_zscaler·CVSS 4.9
[MEDIUM] CISO Monthly Roundup, January 2024: Zero day VPN vulnerabilities, DreamBus, ZLoader, Qakbot, and recent security advisories | CXO Revolutionaries
EDITOR'S PICK
## CISO Monthly Roundup, January 2024: Zero day VPN vulnerabilities, DreamBus, ZLoader, Qakbot, and recent security advisories
Deepen Desai
Contributor
Zscaler
## Feb 13, 2024
In the latest edition of the CISO Monthly Roundup we examine recent zero day VPN vulnerabilities and offer threat analysis on DreamBus, ZLoader, and Qakbot. We also take a look at recent security advisories and offer our insights.
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on other cyber-related subjects. Over the past month ThreatLabz has examined Ivanti VPN vulnerabilities, performed a deep dive on Qakbot, analyzed new DreamBus modules, discovered new Zloader capabilities and addressed relevant security advisories.
## Critica
Zscaler
CISO Monthly Roundup, February 2024: Ivanti VPN exploits, WINELOADER attacks on European diplomats, Pikabot analysis, and Midnight Blizzard campaign | CXO Revolutionaries
blogs_zscaler·CVSS 4.9
[MEDIUM] CISO Monthly Roundup, February 2024: Ivanti VPN exploits, WINELOADER attacks on European diplomats, Pikabot analysis, and Midnight Blizzard campaign | CXO Revolutionaries
## CISO Monthly Roundup, February 2024: Ivanti VPN exploits, WINELOADER attacks on European diplomats, Pikabot analysis, and Midnight Blizzard campaign
Deepen Desai
Contributor
Zscaler
## Mar 11, 2024
CISO Monthly Roundup, February 2024: Ivanti VPN exploits, WINELOADER attacks on European diplomats, Pikabot analysis, and Midnight Blizzard campaign
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on cyber-related subjects. Over the past month we helped global organizations respond to the fallout from Ivanti VPN Zero Day exploits, investigated SPIKEDWINE campaign targeting European diplomats, delved into the details of Pikabot, and examined the Midnight Blizzard campaign.
## ThreatLabz Coverage Advisory: Ivanti’s VPN Vulne
2024-01-31
Published
Exploited in the wild