cbcvebase.
CVE-2024-21893
published 2024-01-31

CVE-2024-21893: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons…

PriorityP197high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-02
Exploited in the wild
EPSS
100.00%
100.0th percentile
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivantiics22.6R2 – 22.6R2
ivantiics9.1R18 – 9.1R18
ivantiips22.6R1 – 22.6R1
ivantiips9.1R18 – 9.1R18
ivantineurons
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://www.rapid7.com/blog/post/2024/02/02/cve-2024-21893-ivanti-connect-secure-ssrf/
  • Monitor for mass exploitation attempts against Ivanti Connect Secure SAML component endpoints; Shadowserver observed 170 distinct IP addresses attempting to exploit CVE-2024-21893 in a short window, indicating broad scanning activity.
  • Exploitation of CVE-2024-21893 targets the SAML component of Ivanti Connect Secure/Policy Secure; monitor HTTP request logs for malformed or unexpected SAML-related requests that bypass authentication and access restricted resources.
  • Attackers were exploiting CVE-2024-21893 before the Rapid7 PoC was published; do not rely solely on PoC publication dates as a trigger for detection — treat any anomalous SAML authentication traffic as potentially malicious.
  • CVE-2024-21893 is chained with CVE-2023-46805 (auth bypass) and CVE-2024-21887 (command injection) by threat actors including UTA0178/UNC5221 to install webshells and backdoors; hunt for webshell artifacts on compromised Ivanti appliances.
  • Use Qualys QID 731126 to scan for CVE-2024-21893 and CVE-2024-21888 on Ivanti Connect Secure and Policy Secure appliances; also query CSAM software inventory for 'PULSE SECURE' to identify exposed assets.
  • Monitor authentication logs and HTTP request logs for malformed tokens or unusual authentication attempts as indicators of CVE-2024-21893 exploitation attempts.
  • ·CVE-2024-21893 affects Ivanti Connect Secure versions 9.x and 22.x, and Ivanti Policy Secure 9.x and 22.x, as well as Ivanti Neurons for ZTA; detection and patching scope must cover all three product lines.
  • ·Root-level persistence may survive factory resets on compromised Ivanti appliances; CISA confirmed in a lab environment that factory reset alone is insufficient to remediate compromise from CVE-2024-21893 and related CVEs.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vulncheck8.3HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.