cbcvebase.
CVE-2024-21888
published 2024-01-31

CVE-2024-21888: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate…

PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
86.81%
99.7th percentile
A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Affected

22 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivantiics22.6R2 – 22.6R2
ivantiics9.1R18 – 9.1R18
ivantiips22.6R1 – 22.6R1
ivantiips9.1R18 – 9.1R18
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-21888 is a privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x) allowing a user to gain administrator-level privileges; no evidence of in-the-wild exploitation confirmed at time of disclosure
  • CVE-2024-21888 is frequently chained with CVE-2024-21893 (SSRF in SAML component); monitor for privilege escalation activity alongside SSRF attempts on Ivanti Connect Secure and Policy Secure gateways
  • Threat actor group UNC5221/UTA0178 (suspected China-nexus espionage) has been observed exploiting related Ivanti CVEs; hunt for webshells, backdoors, and custom malware strains on Ivanti Connect Secure appliances
  • Mandiant identified five custom malware strains deployed in attacks on Ivanti gateways; also look for XMRig cryptocurrency miners and Rust-based malware payloads on compromised systems
  • Scan for Ivanti Connect Secure or Policy Secure software inventory using the CSAM QQL query to identify exposed assets
  • Check Point Harmony IPS signature available for the related SSRF vulnerability CVE-2024-21893 on Ivanti; use as a detection layer for exploitation attempts against Ivanti gateways
  • ·CVE-2024-21888 affects all supported versions of Ivanti Connect Secure and Ivanti Policy Secure — versions 9.x and 22.x; patches were released January 31 / February 1, 2024 for versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1
  • ·As of February 15, 2024, over 13,636 Ivanti servers remained unpatched for CVE-2024-21888 and related CVEs out of 24,239 total internet-exposed Ivanti servers, meaning more than half were still vulnerable

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.