cbcvebase.
CVE-2024-37404
published 2024-10-18

CVE-2024-37404: Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote…

PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
67.29%
99.2th percentile
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.

Affected

9 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure< 9.19.1
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure>= 22.3 < 22.722.7
ivanticonnect_secure>= 22.7R2.1 < 22.7R2.122.7R2.1
ivanticonnect_secure>= 9.1R18.9 < 9.1R18.99.1R18.9
ivantipolicy_secure< 22.722.7
ivantipolicy_secure
ivantipolicy_secure>= 22.7R1.1 < 22.7R1.122.7R1.1

Detection & IOCsextracted from sources · hover to see the quote

url/dana-admin/cert/admincertnewcsr.cgi
url/dana/uploadlog/uploadlog.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure CRLF Injection Remote Code Execution Attempt (CVE-2024-37404)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/dana-admin/cert/admincertnewcsr.cgi"; fast_pattern; http.request_body; pcre:"/(?:organizationName|organizationalUnitName|localityName|stateOrProvinceName|countryName|emailAddress)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)).*?(?:openssl(?:\x5f|%5[fF])conf|engine(?:s|(?:\x5f|%5[fF])id)|dynamic(?:\x5f|%5[fF])path)?/i"; reference:cve,2024-37404; reference:url,blog.amberwolf.com/blog/2024/october/cve-2024-37404-ivanti-connect-secure-authenticated-rce-via-openssl-crlf-injection/; classtype:attempted-admin; sid:2056578; rev:2;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana/uploadlog/uploadlog.cgi"; startswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploaded_file|22 3b 20|filename|3d 22|"; content:"Content-Type|3a 20|application/zip|0d 0a 0d 0a|ELF"; within:300; reference:url,blog.amberwolf.com/blog/2024/october/cve-2024-37404-ivanti-connect-secure-authenticated-rce-via-openssl-crlf-injection/; classtype:web-application-attack; sid:2056579; rev:1;)
bytes
Content-Type: application/zip\r\n\r\nELF
  • CRLF injection payload targets CSR generation endpoint; look for POST to /dana-admin/cert/admincertnewcsr.cgi with body fields (organizationName, organizationalUnitName, localityName, stateOrProvinceName, countryName, emailAddress) containing CRLF/semicolon/backtick/pipe/dollar-sign characters (raw or URL-encoded) followed by OpenSSL config directives (openssl_conf, engines, engine_id, dynamic_path)
  • Second-stage payload delivery: watch for POST to /dana/uploadlog/uploadlog.cgi uploading a ZIP-wrapped ELF shared object (Content-Type: application/zip with ELF magic bytes in body) — indicates attacker is uploading a malicious .so for OpenSSL engine loading
  • Exploitation requires valid administrative credentials; monitor for authenticated admin sessions followed immediately by CSR generation requests containing injection characters — the exploit chain is: CRLF inject OpenSSL config → upload malicious ELF shared object → trigger OpenSSL engine load for RCE
  • Detection requires TLS decryption (SSLDecrypt/TLSDecrypt) as all traffic to Ivanti Connect Secure admin portal is HTTPS; without decryption, URI and body-based signatures will not fire
  • ·Ivanti Policy Secure (prior to 22.7R1.1) is also vulnerable but the Metasploit module does not support it; detection rules targeting Ivanti Connect Secure paths may not cover Policy Secure attack surface
  • ·The URI-based Snort rule for the CSR endpoint uses bsize:36 (exact URI length match); any variation in the URI (e.g., trailing slash or query string) may cause the rule to miss
  • ·Both Snort rules require TLS inspection to be effective; deployments without SSL/TLS decryption will not detect this exploit in transit

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.