Ivanti Connect Secure Command Injection Vulnerability
Key Information
- Vendor
- Ivanti
- Status
- ICS
- IPS
- Vendor
- CVE Published:
- 12 January 2024
Badges
Summary
A command injection vulnerability has been discovered in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild by a suspected espionage threat actor. Several custom malware families, including web shells and a credential harvester, have been associated with the exploitation, indicating the threat actor's intent to maintain a presence on compromised targets. Ivanti has issued mitigations and is developing patches, with a significant increase in threat actor activity targeting the vulnerabilities since they were disclosed. More than 1,700 devices have been exploited worldwide, with global government and military departments, national telecommunications companies, and defense contractors among the victims. It is suspected that additional threat actors beyond the initial exploitation group may also have access to the exploit. Organizations are urged to implement mitigations immediately and apply patches as they are released to avoid potential exploitation.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-21887 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ICS <= 9.1R18
ICS <= 22.6R2
IPS <= 9.1R18
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
watchTowr Labs - Blog CVE-2023-46805CVE-2024-21887watchTowr Labs - Blog
The epicentre of offensive security expertise and research at watchTowr - watchTowr Labs.
4 months ago
The Hacker News CVE-2023-46805CVE-2024-21887Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery
Ivanti Connect Secure (ICS) devices are under attack! Two critical vulnerabilities are being exploited to deploy the notorious Mirai botnet.
4 months ago
Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation
On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and...
5 months ago
EPSS Score
96% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability started trending.
Vulnerability published.
First article discovered by Bleeping Computer
- đž
Exploit exists.
Vulnerability Reserved.