CVE-2024-21893
published 2024-01-31CVE-2024-21893: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons…
PriorityP197high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-02
Exploited in the wild
EPSS
100.00%
100.0th percentile
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | ics | 22.6R2 – 22.6R2 | — |
| ivanti | ics | 9.1R18 – 9.1R18 | — |
| ivanti | ips | 22.6R1 – 22.6R1 | — |
| ivanti | ips | 9.1R18 – 9.1R18 | — |
| ivanti | neurons | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for mass exploitation attempts against Ivanti Connect Secure SAML component endpoints; Shadowserver observed 170 distinct IP addresses attempting to exploit CVE-2024-21893 in a short window, indicating broad scanning activity. ↗
- →Exploitation of CVE-2024-21893 targets the SAML component of Ivanti Connect Secure/Policy Secure; monitor HTTP request logs for malformed or unexpected SAML-related requests that bypass authentication and access restricted resources. ↗
- →Attackers were exploiting CVE-2024-21893 before the Rapid7 PoC was published; do not rely solely on PoC publication dates as a trigger for detection — treat any anomalous SAML authentication traffic as potentially malicious. ↗
- →CVE-2024-21893 is chained with CVE-2023-46805 (auth bypass) and CVE-2024-21887 (command injection) by threat actors including UTA0178/UNC5221 to install webshells and backdoors; hunt for webshell artifacts on compromised Ivanti appliances. ↗
- →Use Qualys QID 731126 to scan for CVE-2024-21893 and CVE-2024-21888 on Ivanti Connect Secure and Policy Secure appliances; also query CSAM software inventory for 'PULSE SECURE' to identify exposed assets. ↗
- →Monitor authentication logs and HTTP request logs for malformed tokens or unusual authentication attempts as indicators of CVE-2024-21893 exploitation attempts. ↗
- ·CVE-2024-21893 affects Ivanti Connect Secure versions 9.x and 22.x, and Ivanti Policy Secure 9.x and 22.x, as well as Ivanti Neurons for ZTA; detection and patching scope must cover all three product lines. ↗
- ·Root-level persistence may survive factory resets on compromised Ivanti appliances; CISA confirmed in a lab environment that factory reset alone is insufficient to remediate compromise from CVE-2024-21893 and related CVEs. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vulncheck8.3HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
cisa·2024-01-31·CVSS 8.2
CVE-2024-21893 [HIGH] CWE-918 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Vulnerability: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Affected: Ivanti Connect Secure, Policy Secure, and Neurons
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US ; https://nvd.nist.gov/vuln/d
Ivanti
Ivanti Connect Secure SSRF in SAML Component
vendor_ivanti·2024-01-31·CVSS 8.2
CVE-2024-21893 [HIGH] Ivanti Connect Secure SSRF in SAML Component
Ivanti Connect Secure SSRF in SAML Component
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
CVE IDs: CVE-2024-21893
Affected products: Connect Secure, Policy Secure, Neurons
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2024-02-02
Known to be used in ransomware campaigns.
GHSA
GHSA-64v6-hr9r-33mx: The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1
ghsa_unreviewed·2024-06-26·CVSS 7.5
CVE-2024-34581 [HIGH] CWE-918 GHSA-64v6-hr9r-33mx: The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1
The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1.0, was originally published with a "RetrievalMethod is a URI ... that may be used to obtain key and/or certificate information" statement and no accompanying information about SSRF risks, and this may have contributed to vulnerable implementations such as those discussed in CVE-2023-36661 and CVE-2024-21893. NOTE: this was mitigated in 1.1 and 2.0 via a directly referenced Best Practices document that calls on implementers to be wary of SSRF.
GHSA
GHSA-5rr9-mqhj-7cr2: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9
ghsa_unreviewed·2024-01-31
CVE-2024-21893 [HIGH] CWE-918 GHSA-5rr9-mqhj-7cr2: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
VulnCheck
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
vulncheck·2024·CVSS 8.2
CVE-2024-21887 [HIGH] CWE-77 Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://ww
VulnCheck
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2024·CVSS 8.2
CVE-2024-21893 [HIGH] CWE-918 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
Affected: Ivanti Connect Secure, Policy Secure, and Neurons
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/; https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-C
VulnCheck
Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
vulncheck·2024·CVSS 8.3
CVE-2024-22024 [HIGH] Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wiz.io/blog/ivanti-vulnerabilities-cve-2023-46805-cve-2024-21887-cve-2024-21888-and-cve-2024-21893; https://attackerkb.com/assessments/e3572615-0a93-4e5b-a181-432316d5c6d3; https://twitter.com/collysucker/status/17559
VulnCheck
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
vulncheck·2023·CVSS 8.2
CVE-2023-46805 [HIGH] CWE-287 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.volexity.com/blog/2024/0
Suricata
ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)
suricata·2024-02-02·CVSS 9.1
CVE-2024-21887 [CRITICAL] ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)
ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-ws/"; fast_pattern; content:".ws"; http.request_body; content:"<soap|3a|"; content:"|3a|RetrievalMethod|20|URI=|22|"; distance:0; pcre:"/^[^\x22]+(?:\x3b|%3[Bb])/R"; reference:url,attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis; reference:cve,2024-21887; classtype:attempted-admin; sid:2050700; rev:2; metadata:affected_product Ivanti, attac
Suricata
ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA SSRF Pattern (CVE-2024-21893)
suricata·2024-02-02·CVSS 8.2
CVE-2024-21893 [HIGH] ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA SSRF Pattern (CVE-2024-21893)
ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA SSRF Pattern (CVE-2024-21893)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA SSRF Pattern (CVE-2024-21893)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-ws/"; fast_pattern; content:".ws"; http.request_body; content:"<soap|3a|"; content:"|3a|RetrievalMethod|20|URI=|22|"; distance:0; reference:url,attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis; reference:cve,2024-21893; classtype:attempted-admin; sid:2050699; rev:2; metadata:affected_product Ivanti, attack_target Server, created_at 2024_02_02, cve CVE_2024_21893, depl
Metasploit
Ivanti Connect Secure Unauthenticated Remote Code Execution
metasploit·CVSS 9.1
CVE-2024-21893 [CRITICAL] Ivanti Connect Secure Unauthenticated Remote Code Execution
Ivanti Connect Secure Unauthenticated Remote Code Execution
This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
Nuclei
Ivanti SAML - Server Side Request Forgery (SSRF)
nuclei·CVSS 9.1
CVE-2024-21893 [CRITICAL] Ivanti SAML - Server Side Request Forgery (SSRF)
Ivanti SAML - Server Side Request Forgery (SSRF)
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Template:
id: CVE-2024-21893
info:
name: Ivanti SAML - Server Side Request Forgery (SSRF)
author: DhiyaneshDk
severity: high
description: |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
impact: |
Unauthenticated attackers can perform SSRF attacks to access restricted internal resources and bypa
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
Chinese State-Sponsored Actors Compromising Global Networks
blogs_tenable·2025-08-29
Chinese State-Sponsored Actors Compromising Global Networks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
blogs_sentinelone·2025-05-03
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to
Sentinelone
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
blogs_sentinelone·2025-05-03
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to
Tenable
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
blogs_tenable·2025-04-23
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
blogs_greynoiseio·2025-03-11
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
blogs_tenable·2025-01-23
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-01-08·CVSS 9.0
[CRITICAL] CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti fixes maximum severity RCE bug in Endpoint Management software
blogs_bleepingcomputer·2024-09-10·CVSS 8.8
CVE-2024-29847 [HIGH] Ivanti fixes maximum severity RCE bug in Endpoint Management software
## Ivanti fixes maximum severity RCE bug in Endpoint Management software
## Sergiu Gatlan
Ivanti has fixed a maximum severity vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers gain remote code execution on the core server.
Ivanti EPM helps admins manage client devices that run various platforms, including Windows, macOS, Chrome OS, and IoT operating systems.
The security flaw (CVE-2024-29847) is caused by a deserialization of untrusted data weakness in the agent portal that has been addressed in Ivanti EPM 2024 hot patches and Ivanti EPM 2022 Service Update 6 (SU6).
"Successful exploitation could lead to unauthorized access to the EPM core server," the company said in an advisory published today.
For the moment, Ivanti added that they're "
Tenable
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
blogs_tenable·2024-08-28
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
blogs_tenable·2024-08-14·CVSS 9.8
[CRITICAL] CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti warns of critical vTM auth bypass with public exploit
blogs_bleepingcomputer·2024-08-13·CVSS 9.8
CVE-2024-7593 [CRITICAL] Ivanti warns of critical vTM auth bypass with public exploit
## Ivanti warns of critical vTM auth bypass with public exploit
## Sergiu Gatlan
Today, Ivanti urged customers to patch a critical authentication bypass vulnerability impacting Virtual Traffic Manager (vTM) appliances that can let attackers create rogue administrator accounts.
Ivanti vTM is a software-based application delivery controller (ADC) that provides app-centric traffic management and load balancing for hosting business-critical services.
Tracked as CVE-2024-7593, this auth bypass vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels.
"Ivanti released updates for Ivanti Virtual Traffic Manager (vTM) which addressed a critical vulnerability. S
Qualys
Cybersecurity Threat Landscape 2024 Midyear Review
blogs_qualys·2024-08-06
Cybersecurity Threat Landscape 2024 Midyear Review
## Table of Contents
Key Takeaways from the Threat Landscape Report 2024
Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
Cyber Threat Landscape 2024 A Detailed Review
Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for the emerg
Unit42
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
blogs_unit42·2024-04-08
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Threat Research Center
Threat Research
Malware
## It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Beliz Kaleli
Fang Liu
Peng Peng
Alex Starov
Joey Allen
Stefan Springer
Published: April 8, 2024
Malware
Threat Research
Ivanti
Mirai
Network scanning
## Executive Summary
Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans.
Threat actors have been using scanning methods to pinpoint vulnerabilities in networks or systems for a very long time. Some scanning attacks originate from benign networks likely driven by malware on infected machines. B
Unit42
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
blogs_unit42·2024-04-08
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
## Executive Summary
Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans.
Threat actors have been using scanning methods to pinpoint vulnerabilities in networks or systems for a very long time. Some scanning attacks originate from benign networks likely driven by malware on infected machines. By launching scanning attacks from compromised hosts, attackers can accomplish the following:
- Covering their traces
- Bypassing geofencing
- Expanding botnets
- Leveraging the resources of these compromised devices to generate a higher volume of scanning requests compared to what they cou
Bleepingcomputer
New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
blogs_bleepingcomputer·2024-04-05·CVSS 8.2
CVE-2024-21894 [HIGH] New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
## New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
## Bill Toulas
Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution (RCE) flaw the vendor addressed earlier this week.
The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x, potentially allowing unauthenticated users to cause denial of service (DoS) or achieve RCE by sending specially crafted requests.
Upon disclosure, on April 3, 2024, the internet search engine Shodan showed 29,000 internet-exposed instances, while threat monitoring service Shadowserver reported seeing roughly 18,000.
At the time, Ivanti stated that it had seen no signs of active exploita
Bleepingcomputer
Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
blogs_bleepingcomputer·2024-04-03·CVSS 8.2
CVE-2024-21894 [HIGH] Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Sergiu Gatlan
Update 4/5/25: ShadowServer says there are 16,000 exposed devices likely vulnerable to this flaw .
IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways.
Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction.
The vulnerability is caused by a heap overflow weakness in the IPSec component of all supported gateway versions.
While Ivanti said the remote code execution risks are limited to "certain conditions," t
Bleepingcomputer
Ivanti fixes critical Standalone Sentry bug reported by NATO
blogs_bleepingcomputer·2024-03-20·CVSS 8.8
CVE-2023-41724 [HIGH] Ivanti fixes critical Standalone Sentry bug reported by NATO
## Ivanti fixes critical Standalone Sentry bug reported by NATO
## Sergiu Gatlan
Ivanti warned customers to immediately patch a critical severity Standalone Sentry vulnerability reported by NATO Cyber Security Centre researchers.
Standalone Sentry is deployed as an organization's Kerberos Key Distribution Center Proxy (KKDCP) server or as a gatekeeper for ActiveSync-enabled Exchange and Sharepoint servers.
Tracked as CVE-2023-41724 , the security flaw impacts all supported versions and it allows unauthenticated bad actors within the same physical or logical network to execute arbitrary commands in low-complexity attacks.
Ivanti also fixed a second critical vulnerability ( CVE-2023-46808 ) in its Neurons for ITSM IT service management solution that enables remote threat actors with acc
Checkpoint
11th March – Threat Intelligence Report
blogs_checkpoint·2024-03-11·CVSS 8.2
CVE-2023-46805 [HIGH] 11th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cybersecurity and Infrastructure Security Agency (CISA) has taken offline two systems following a breach that occurred as a result of the recent vulnerabilities exploitation in Ivanti products. The affected systems potentially include the Infrastructure Protection Gateway and the Chemical Security Assessment Tool, holding sen
Bleepingcomputer
Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
blogs_bleepingcomputer·2024-03-09·CVSS 9.8
[CRITICAL] Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Bill Toulas
A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems.
1-day flaws refer to publicly disclosed vulnerabilities for which a patch has been released. Threat actors looking to exploit these flaws must do so quickly before a target can apply security updates.
Though exploits are usually not made available immediately upon a flaw's disclosure, some vulnerabilities are trivial to figure out how to leverage. Additionally, reverse-engineering the patch may reveal the underlying problem and how to exploit it.
Check Point analysts who identified Magnet Goblin report that these threat act
Checkpoint
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
blogs_checkpoint·2024-03-08·CVSS 4.9
CVE-2024-21887 [MEDIUM] Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
## Key Points
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vuln
Checkpoint
4th March – Threat Intelligence Report
blogs_checkpoint·2024-03-04
CVE-2023-46805 4th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
UnitedHealth Group confirmed its subsidiary was attacked by the ALPHV ransomware gang. 6 terabytes of data were stolen in the attack, and Change Healthcare, a crucial intermediary between pharmacies and insurance companies, was forced to disconnect its systems on February 21. The disruption impacted U.S. military clinics and ho
Bleepingcomputer
CISA cautions against using hacked Ivanti VPN gateways even after factory resets
blogs_bleepingcomputer·2024-02-29·CVSS 8.2
[HIGH] CISA cautions against using hacked Ivanti VPN gateways even after factory resets
## CISA cautions against using hacked Ivanti VPN gateways even after factory resets
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on Ivanti Connect Secure and Policy Secure gateways compromised using CVE-2023-46805 , CVE-2024-21887 , CVE-2024-22024 , and CVE-2024-21893 exploits.
The four vulnerabilities' severity ratings range from high to critical, and they can be exploited for authentication bypass, command injection, server-side-request forgery, and
Sentinelone
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
blogs_sentinelone·2024-02-27
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.
In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.
## Ransomware Reporting and Underreporting
February 2024 has seen several impactful ransomware attacks reported, including:
Actor
Targeted Industry
LockBit
Medical
BackMyData
Medical
Black Basta
Automotive
Cactus
Manufacturing
Concerns remain, however, that many ransomware incidents ar
Sentinelone
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
blogs_sentinelone·2024-02-27
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.
In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.
## Ransomware Reporting and Underreporting
February 2024 has seen several impactful ransomware attacks reported, including :
Actor
Targeted Industry
LockBit
Medical
BackMyData
Medical
Black Basta
Automotive
Cactus
Manufacturing
Concerns remain, however, that many ransomware incide
Bleepingcomputer
Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
blogs_bleepingcomputer·2024-02-15·CVSS 8.2
CVE-2024-22024 [HIGH] Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
## Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
## Bill Toulas
Thousands of Ivanti Connect Secure and Policy Secure endpoints remain vulnerable to multiple security issues first disclosed more than a month ago and which the vendor gradually patched.
The flaws are CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888. Their severity ranges from high to critical and they concern authentication bypass, server-side-request forgery, arbitrary command execution, and command injection problems.
Some of these vulnerabilities have been reported as exploited by nation-state actors before they were being leveraged at a larger scale by a broad range of threat actors.
Starting with CVE-2024-22024, the issue is an XXE vulnerability in the SAML compo
Bleepingcomputer
Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor
blogs_bleepingcomputer·2024-02-12·CVSS 8.2
CVE-2024-21893 [HIGH] Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor
## Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor
## Bill Toulas
Hackers are exploiting a server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy the new DSLog backdoor on vulnerable devices.
The vulnerability, tracked as CVE-2024-21893, was disclosed as an actively exploited zero-day on January 31, 2024, with Ivanti sharing security updates and mitigation advice.
The flaw impacts the SAML component of the mentioned products and allows attackers to bypass authentication and access restricted resources on Ivanti gateways running versions 9.x and 22.x.
The updates that fix the problem are Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2, Ivanti Policy Secure version 22
Bleepingcomputer
Ivanti: Patch new Connect Secure auth bypass bug immediately
blogs_bleepingcomputer·2024-02-08·CVSS 8.2
CVE-2024-22024 [HIGH] Ivanti: Patch new Connect Secure auth bypass bug immediately
## Ivanti: Patch new Connect Secure auth bypass bug immediately
## Sergiu Gatlan
Today, Ivanti warned of a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways, urging admins to secure their appliances immediately.
The flaw (CVE-2024-22024) is due to an XXE (XML eXternal Entities) weakness in the gateways' SAML component that lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without requiring user interaction or authentication.
"We have no evidence of any customers being exploited by CVE-2024-22024. However, it is critical that you immediately take action to ensure you are fully protected," Ivanti said .
"For users of other supported versions, the mitigation released on 31 January su
Talos
Spyware isn’t going anywhere, and neither are its tactics
blogs_talos·2024-02-08
Spyware isn’t going anywhere, and neither are its tactics
Private and public efforts to curb the use of spyware and activity of other “mercenary” groups have heated up over the past week, with the U.S. government taking additional action against spyware users and some of the world’s largest tech companies calling out international governments to do more.
The illegal use of spyware to target high-profile or at-risk individuals is a global problem, as highlighted by this article from The Register that Talos’ Nick Biasini just contributed to. This software can often track targets’ exact location, steal their messages and personal information, or even listen in on phone calls. And as we’ve written about, many Private Sector Offensive Actors (PSOAs) are developing spyware and selling it to whoever is willing to pay, regardless of what their motives a
Talos
Spyware isn’t going anywhere, and neither are its tactics
blogs_talos·2024-02-08
Spyware isn’t going anywhere, and neither are its tactics
## Spyware isn’t going anywhere, and neither are its tactics
Private and public efforts to curb the use of spyware and activity of other “mercenary” groups have heated up over the past week, with the U.S. government taking additional action against spyware users and some of the world’s largest tech companies calling out international governments to do more.
The illegal use of spyware to target high-profile or at-risk individuals is a global problem, as highlighted by this article from The Register that Talos’ Nick Biasini just contributed to . This software can often track targets’ exact location, steal their messages and personal information, or even listen in on phone calls. And as we’ve written about, many Private Sector Offensive Actors (PSOAs) are developing spyware and selling it t
Wiz
Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
blogs_wiz·2024-02-06·CVSS 8.2
CVE-2023-46805 [HIGH] Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
February 9, 2024 update
On February 8, 2024, Ivanti released an advisory for a new authentication bypass high severity vulnerability, CVE-2024-22024 impacting Ivanti Connect Secure (`9.x, 22.x`), Ivanti Policy Secure (`9.x, 22.x`) and ZTA gateways. The flaw in the SAML component of the mentioned products allows an attacker to access certain restricted resources without authentication. On February 9, 2024, the vulnerability has been reported to be exploited in-the-wild.
Customers are advised to patch urgently to the fixed versions: Connect Secure versions `9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2`), Ivanti Policy Secure versions `9.1R17.3, 9.1R18.4, 22.5R1.2` and ZTA gateways versions` 22.5R1.6, 22.6R1.5, 22.6R1.7`.
Wiz customers can use the pre-built query and
Wiz
Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
blogs_wiz·2024-02-06·CVSS 8.2
CVE-2023-46805 [HIGH] Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
9.x, 22.x
9.x, 22.x
9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2
9.1R17.3, 9.1R18.4, 22.5R1.2
22.5R1.6, 22.6R1.5, 22.6R1.7
* ***
On January 10, 2024, Ivanti released an advisory along with mitigation strategies (but no patches) for two vulnerabilities affecting Connect Secure VPN devices: CVE-2023-46805 and CVE-2024-21887. When exploited in tandem, they enable unauthenticated remote code execution, and Ivanti urged immediate customer response. A few days later, researchers announced that they had identified active exploitation of these vulnerabilities as 0-days, dating back to December 2023, and provided details of the related threat activity .
A few weeks later, on January 31, 2024, Ivanti disclosed two more high-severity vulnerabilities: CVE-2024-21888, a pr
Bleepingcomputer
Newest Ivanti SSRF zero-day now under mass exploitation
blogs_bleepingcomputer·2024-02-05·CVSS 8.2
CVE-2024-21893 [HIGH] Newest Ivanti SSRF zero-day now under mass exploitation
## Newest Ivanti SSRF zero-day now under mass exploitation
## Bill Toulas
An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers.
Ivanti first warned about the flaw in the gateway's SAML components on January 31, 2024, giving it a zero-day status for limited active exploitation, impacting a small number of customers.
Exploitation of CVE-2024-21893 allowed attackers to bypass authentication and access restricted resources on vulnerable devices (versions 9.x and 22.x).
Threat monitoring service Shadowserver is now seeing multiple attackers leveraging the SSRF bug, with 170 distinct IP addresses attempting to exploit the flaw.
The exploitation volume of this p
Checkpoint
5th February – Threat Intelligence Report
blogs_checkpoint·2024-02-05
CVE-2024-21893 5th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 5th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 5th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
AnyDesk Software GmbH , the company behind the popular remote desktop application, has confirmed a cybersecurity incident in which the attackers gained access to company’s production systems. Reportedly, source code and private code signing keys were stolen during the attack. As part of the response, AnyDesk have revoked
Tenable
Cybersecurity Snapshot: Attackers Hack Routers To Hit Critical Infrastructure, as CISA Calls for More Secure Router Design
blogs_tenable·2024-02-02
Cybersecurity Snapshot: Attackers Hack Routers To Hit Critical Infrastructure, as CISA Calls for More Secure Router Design
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Zscaler
Ivanti VPN Vulnerability | ThreatLabz
blogs_zscaler·2024-02-02·CVSS 8.2
[HIGH] Ivanti VPN Vulnerability | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bleepingcomputer
CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
blogs_bleepingcomputer·2024-02-01·CVSS 8.2
[HIGH] CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
## CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
## Sergiu Gatlan
CISA has ordered U.S. federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances vulnerable to multiple actively exploited bugs before Saturday.
This required action is part of a supplemental direction to this year's first emergency directive (ED 24-01) issued last week that mandates Federal Civilian Executive Branch (FCEB) agencies to urgently secure all ICS and IPS devices on their network against two zero-day flaws in response to extensive exploitation in the wild by multiple threat actors.
Ivanti appliances are currently targeted in attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection security flaws since Decem
Tenable
CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-31·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti warns of new Connect Secure zero-day exploited in attacks
blogs_bleepingcomputer·2024-01-31·CVSS 8.2
CVE-2024-21893 [HIGH] Ivanti warns of new Connect Secure zero-day exploited in attacks
## Ivanti warns of new Connect Secure zero-day exploited in attacks
## Sergiu Gatlan
Today, Ivanti warned of two more vulnerabilities impacting Connect Secure, Policy Secure, and ZTA gateways, one of them a zero-day bug already under active exploitation.
The zero-day flaw (CVE-2024-21893) is a server-side request forgery vulnerability in the gateways' SAML component that enables attackers to bypass authentication and access restricted resources on vulnerable devices.
A second flaw (CVE-2024-21888) in the gateways' web component allows threat actors to escalate privileges to those of an administrator.
"As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabiliti
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.2
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42
Published: January 16, 2024
High Profile Threats
Vulnerabilities
CVE-2023-46805
CVE-2024-21887
CVE-2024-21888
CVE-2024-21893
CVE-2024-22024
Ivanti
VPNs
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integr
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.3
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tools (ICT) which results in a failure to detect a compromise. They also state that cyber threat actors may be able to maintain root-level persistence despite issuing factory resets.
This CSA also includes guidance on incident response steps. They recommend defenders reset all credentials tha
Qualys
Dual Zero-Day Threats in Ivanti Connect Secure and Policy Secure Gateways – CVE-2023-46805 and CVE-2024-21887
blogs_qualys·2024-01-11·CVSS 8.2
[HIGH] Dual Zero-Day Threats in Ivanti Connect Secure and Policy Secure Gateways – CVE-2023-46805 and CVE-2024-21887
## Table of Contents
The Impact of Dual Zero-Day Threats in Ivanti Connect and Policy Secure Gateways
Vulnerable Versions
How can Qualys assist organizations, and what actions should these organizations undertake?
Conclusion
Contributors
In recent and alarming cybersecurity developments, Volexity researchers have discovered that attackers are exploiting two distinct zero-day vulnerabilities in a coordinated manner to enable unauthenticated remote code execution (RCE). These vulnerabilities are identified as CVE-2023-46805 and CVE-2024-21887, posing a significant threat when combined. Moreover, their severity has been recognized by the Cybersecurity and Infrastructure Security Agency (CISA), leading to their inclusion in the agency’s Known Exploited Vulnerabilities (KEV) catalog. This
Tenable
CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-10·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Zscaler
CISO Monthly Roundup, January 2024: Zero day VPN vulnerabilities, DreamBus, ZLoader, Qakbot, and recent security advisories | CXO Revolutionaries
blogs_zscaler·CVSS 4.9
[MEDIUM] CISO Monthly Roundup, January 2024: Zero day VPN vulnerabilities, DreamBus, ZLoader, Qakbot, and recent security advisories | CXO Revolutionaries
EDITOR'S PICK
## CISO Monthly Roundup, January 2024: Zero day VPN vulnerabilities, DreamBus, ZLoader, Qakbot, and recent security advisories
Deepen Desai
Contributor
Zscaler
## Feb 13, 2024
In the latest edition of the CISO Monthly Roundup we examine recent zero day VPN vulnerabilities and offer threat analysis on DreamBus, ZLoader, and Qakbot. We also take a look at recent security advisories and offer our insights.
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on other cyber-related subjects. Over the past month ThreatLabz has examined Ivanti VPN vulnerabilities, performed a deep dive on Qakbot, analyzed new DreamBus modules, discovered new Zloader capabilities and addressed relevant security advisories.
## Critica
Huntress
CVE-2024-21893 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 8.2
CVE-2024-21893 [HIGH] CVE-2024-21893 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2024-21893 Vulnerability
Published: 11/21/2025
Written by: Lizzie Danielson
## What is CVE-2024-21893 vulnerability?
CVE-2024-21893 is a critical remote code execution (RCE) vulnerability found in certain versions of Ivanti's secure gateway software. It allows attackers to execute arbitrary code on a compromised system, often exploiting weaknesses in authentication processes. This vulnerability, caused by insufficient input validation, poses significant risks to enterprises relying on Ivanti solutions to safeguard data.
## When was it discovered?
The CVE-2024-21893 vulnerability was publicly disclosed in January 2024 by security researchers after being reported initially in late 2023. Credit for the discovery goes to independent researchers collaborating with Ivanti. Ivanti pr
Threat Intel
UNC5325
threat_intel·CVSS 8.2
CVE-2024-21893 [HIGH] UNC5325
# Threat Actor: UNC5325
## Description
UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Mandiant identified TTPs and malware code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware leveraged by UNC3886. Mandiant assesses with moderate confidence that UNC5325 is associated with UNC3886.
Threat Intel
UNC5330
threat_intel·CVSS 9.1
CVE-2024-21893 [CRITICAL] UNC5330
# Threat Actor: UNC5330
## Description
UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence.
Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from t
Greynoiseio
NoiseLetter February 2024
blogs_greynoiseio
NoiseLetter February 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Zscaler
Remove Ivanti Zero Day Vulnerabilities with Zscaler Private
blogs_zscaler
Remove Ivanti Zero Day Vulnerabilities with Zscaler Private
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Greynoiseio
Practical Vulnerability Archaeology Starring Ivanti's CVE-2021-44529
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Practical Vulnerability Archaeology Starring Ivanti's CVE-2021-44529
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Zscaler
CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report | CXO Revolutionaries
## CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report
Deepen Desai
Contributor
Zscaler
## Jun 7, 2024
ThreatLabz research on Operation Endgame, Anatsa malware, and HijackLoader. The Zscaler ThreatLabz 2024 VPN Risk Report. Zenith Live 24.
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on cyber-related subjects. Over the past month ThreatLabz assisted with Operation Endgame, analyzed an Anatsa campaign, examined HijackLoader updates, and released a VPN risk report.
## Operation Endgame extinguishes Smoke
Smoke (a.k.a. SmokeLoader, Dofoil) is a malware that has been plaguing organizations since 2011. Threat actors typically use Smoke to delive
arXiv
A Comprehensive Evaluation and Practice of System Penetration Testing
arxiv_fulltext·2026-01-30
A Comprehensive Evaluation and Practice of System Penetration Testing
*
[1]Chunyi Zhang and Jin Zeng contributed equally to this work.
[2]Authors' Contact Information: Chunyi Zhang, Hainan University, Haikou, China; Jin Zeng, Hainan University, Haikou, China; Xiaoqi Li, [email protected], Hainan University, Haikou, China.
## Abstract
With the rapid advancement of information technology, the complexity of applications continues to increase, and the cybersecurity challenges we face are also escalating. This paper aims to investigate the methods and practices of system security penetration testing, exploring how to enhance system security through systematic penetration testing processes and technical approaches. It also examines existing penetration tools, analyzing their strengths, weaknesses, and applicable domains to guide penetration testers in tool select
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_UShttps://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_UShttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21893
2024-01-31
Published
2024-01-31
Added to CISA KEV
Exploited in the wild