CVE-2024-21894
published 2024-04-04CVE-2024-21894: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
18.99%
97.0th percentile
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | >= 22.1R6.2 < 22.1R6.2 | 22.1R6.2 |
| ivanti | connect_secure | >= 22.2R4.2 < 22.2R4.2 | 22.2R4.2 |
| ivanti | connect_secure | >= 22.3R1.2 < 22.3R1.2 | 22.3R1.2 |
| ivanti | connect_secure | >= 22.4R1.2 < 22.4R1.2 | 22.4R1.2 |
| ivanti | connect_secure | >= 22.4R2.4 < 22.4R2.4 | 22.4R2.4 |
| ivanti | connect_secure | >= 22.5R1.3 < 22.5R1.3 | 22.5R1.3 |
| ivanti | connect_secure | >= 22.5R2.4 < 22.5R2.4 | 22.5R2.4 |
| ivanti | connect_secure | >= 22.6R2.3 < 22.6R2.3 | 22.6R2.3 |
| ivanti | connect_secure | >= 9.1R14.6 < 9.1R14.6 | 9.1R14.6 |
| ivanti | connect_secure | >= 9.1R15.4 < 9.1R15.4 | 9.1R15.4 |
| ivanti | connect_secure | >= 9.1R16.4 < 9.1R16.4 | 9.1R16.4 |
| ivanti | connect_secure | >= 9.1R17.4 < 9.1R17.4 | 9.1R17.4 |
| ivanti | connect_secure | >= 9.1R18.5 < 9.1R18.5 | 9.1R18.5 |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-21894 is a heap overflow in the IPSec component; detect by monitoring for specially crafted IPSec requests sent to Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that cause service crashes (DoS) or unexpected process termination ↗
- →Shadowserver added active scanning for CVE-2024-21894 on April 5, 2024; correlate inbound scan traffic from Shadowserver probes against your Ivanti gateway logs to identify vulnerable instances ↗
- →Prioritize patching/detection for Ivanti Connect Secure and Policy Secure instances exposed on the internet; as of April 3, 2024 Shodan showed ~29,000 exposed instances and Shadowserver ~18,000, indicating a large attack surface ↗
- ·CVE-2024-21894 affects Ivanti Connect Secure versions 9.x and 22.x, and Ivanti Policy Secure; only these product lines and version ranges are in scope for this vulnerability ↗
- ·At time of disclosure Ivanti stated no signs of active exploitation had been observed in customer environments, but urged immediate patching; monitor for changes in exploitation status ↗
- ·The vulnerability is exploitable by unauthenticated users, meaning no credentials are required; perimeter-level detection and blocking of malformed IPSec traffic is necessary even without authenticated sessions ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Connect Secure Heap Overflow
vendor_ivanti·CVSS 9.8
CVE-2024-21894 [CRITICAL] Ivanti Connect Secure Heap Overflow
Ivanti Connect Secure Heap Overflow
CVE IDs: CVE-2024-21894
Affected products: Connect Secure, Policy Secure
GHSA
GHSA-3mvj-7p7p-x4x5: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9
ghsa_unreviewed·2024-04-05
CVE-2024-21894 [HIGH] CWE-703 GHSA-3mvj-7p7p-x4x5: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code
VulnCheck
Ivanti Connect Secure and Policy Secure Out-of-bounds Write
vulncheck·2024·CVSS 9.8
CVE-2024-21894 [CRITICAL] Ivanti Connect Secure and Policy Secure Out-of-bounds Write
Ivanti Connect Secure and Policy Secure Out-of-bounds Write
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.reliaquest.com/blog/5-critical-threat-actors-you-need-to-know-about/; https://cert.pl/uploads/docs/Report_CP_2024.pdf
No detection rules found.
No public exploits indexed.
Checkpoint
8th April – Threat Intelligence Report
blogs_checkpoint·2024-04-08
CVE-2024-29745 8th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th April, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Acuity, a federal contractor, confirmed a cyber incident where hackers accessed its GitHub repositories, and stole various documents. The breach, linked to the threat actor IntelBroker, involved data from various U.S. government agencies. While Acuity claims to have found no evidence of sensitive data impact, the US State Depar
Bleepingcomputer
New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
blogs_bleepingcomputer·2024-04-05·CVSS 8.2
CVE-2024-21894 [HIGH] New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
## New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
## Bill Toulas
Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution (RCE) flaw the vendor addressed earlier this week.
The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x, potentially allowing unauthenticated users to cause denial of service (DoS) or achieve RCE by sending specially crafted requests.
Upon disclosure, on April 3, 2024, the internet search engine Shodan showed 29,000 internet-exposed instances, while threat monitoring service Shadowserver reported seeing roughly 18,000.
At the time, Ivanti stated that it had seen no signs of active exploita
Bleepingcomputer
Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
blogs_bleepingcomputer·2024-04-03·CVSS 8.2
CVE-2024-21894 [HIGH] Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Sergiu Gatlan
Update 4/5/25: ShadowServer says there are 16,000 exposed devices likely vulnerable to this flaw .
IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways.
Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction.
The vulnerability is caused by a heap overflow weakness in the IPSec component of all supported gateway versions.
While Ivanti said the remote code execution risks are limited to "certain conditions," t
Greynoiseio
Storm Watch
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_UShttps://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
2024-04-04
Published
Exploited in the wild