Ivanti Connect Secure Command Injection Vulnerability
CVE-2024-21887
Key Information:
Badges
What is CVE-2024-21887?
CVE-2024-21887 is a critical command injection vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure, specifically in versions 9.x and 22.x. This vulnerability allows authenticated administrators to execute arbitrary commands on the system by sending specially crafted requests via the web components of the affected products. The ability to execute such commands can severely compromise the security posture of an organization, potentially leading to unauthorized access, data manipulation, or system outages.
Technical Details
The vulnerability is located within the web interfaces of both Ivanti Connect Secure and Ivanti Policy Secure. It arises from improper handling of user inputs, which leads to a command injection flaw. This allows an attacker with administrative privileges to craft requests that can carry out malicious commands directly on the device. Given the nature of this vulnerability, an exploit can lead to uncontrolled access to system capabilities, undermining the integrity of the security appliances.
Impact of the Vulnerability
-
Unauthorized Command Execution: The vulnerability allows attackers to execute arbitrary system commands, which can lead to complete system control or modifications to vital components of the security infrastructure.
-
Data Breaches: By exploiting this vulnerability, attackers have the potential to access sensitive data stored within the vulnerable systems, resulting in severe breaches that could compromise organizational integrity and confidentiality.
-
Service Disruption: Successful exploitation can also lead to outages or disruptions of service, impacting the operational capabilities of organizations that rely on Ivanti’s security solutions to manage and secure their networks.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ICS 9.1R18
ICS 22.6R2
IPS 9.1R18
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
watchTowr Labs - BlogwatchTowr Labs - Blog
The epicentre of offensive security expertise and research at watchTowr - watchTowr Labs.
8 months ago
The Hacker NewsMirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery
Ivanti Connect Secure (ICS) devices are under attack! Two critical vulnerabilities are being exploited to deploy the notorious Mirai botnet.
8 months ago
Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation
On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and...
9 months ago
References
EPSS Score
97% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 💰
Used in Ransomware
- 📈
Vulnerability started trending
Vulnerability published
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered by Bleeping Computer
Vulnerability Reserved