cbcvebase.
CVE-2024-21894
published 2024-04-04

CVE-2024-21894: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
18.99%
97.0th percentile
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure>= 22.1R6.2 < 22.1R6.222.1R6.2
ivanticonnect_secure>= 22.2R4.2 < 22.2R4.222.2R4.2
ivanticonnect_secure>= 22.3R1.2 < 22.3R1.222.3R1.2
ivanticonnect_secure>= 22.4R1.2 < 22.4R1.222.4R1.2
ivanticonnect_secure>= 22.4R2.4 < 22.4R2.422.4R2.4
ivanticonnect_secure>= 22.5R1.3 < 22.5R1.322.5R1.3
ivanticonnect_secure>= 22.5R2.4 < 22.5R2.422.5R2.4
ivanticonnect_secure>= 22.6R2.3 < 22.6R2.322.6R2.3
ivanticonnect_secure>= 9.1R14.6 < 9.1R14.69.1R14.6
ivanticonnect_secure>= 9.1R15.4 < 9.1R15.49.1R15.4
ivanticonnect_secure>= 9.1R16.4 < 9.1R16.49.1R16.4
ivanticonnect_secure>= 9.1R17.4 < 9.1R17.49.1R17.4
ivanticonnect_secure>= 9.1R18.5 < 9.1R18.59.1R18.5
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure
ivantipolicy_secure

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-21894 is a heap overflow in the IPSec component; detect by monitoring for specially crafted IPSec requests sent to Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that cause service crashes (DoS) or unexpected process termination
  • Shadowserver added active scanning for CVE-2024-21894 on April 5, 2024; correlate inbound scan traffic from Shadowserver probes against your Ivanti gateway logs to identify vulnerable instances
  • Prioritize patching/detection for Ivanti Connect Secure and Policy Secure instances exposed on the internet; as of April 3, 2024 Shodan showed ~29,000 exposed instances and Shadowserver ~18,000, indicating a large attack surface
  • ·CVE-2024-21894 affects Ivanti Connect Secure versions 9.x and 22.x, and Ivanti Policy Secure; only these product lines and version ranges are in scope for this vulnerability
  • ·At time of disclosure Ivanti stated no signs of active exploitation had been observed in customer environments, but urged immediate patching; monitor for changes in exploitation status
  • ·The vulnerability is exploitable by unauthenticated users, meaning no credentials are required; perimeter-level detection and blocking of malformed IPSec traffic is necessary even without authenticated sessions

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.