VIR Vulnerability Intelligence Relay

CVE-2024-21887

unknown KEV
Published 2024-01-10 ยท Modified 2024-01-10
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
2.5

Description

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.

CISA KEV

Vendor
Ivanti
Product
Connect Secure and Policy Secure
Due date
2024-01-22

Predictions

Exploit likelihood
99%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27
{Vendor advisory: cisa-kev โ€” Please apply mitigations per vendor instructions. For more information, please see: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2024-21887}

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Metasploit modules

exploit_linux/http/ivanti_connect_secure_rce_cve_2024_21893 rank 600
Ivanti Connect Secure Unauthenticated Remote Code Execution
Source code queued for fetch โ€” refresh in a moment.
exploit_linux/http/ivanti_connect_secure_rce_cve_2023_46805 rank 600
Ivanti Connect Secure Unauthenticated Remote Code Execution
Source code queued for fetch โ€” refresh in a moment.

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.