Ivanti Connect Secure Command Injection Vulnerability

CVE-2024-21887
9.1CRITICAL

Key Information

Vendor
Ivanti
Status
ICS
IPS
Vendor
CVE Published:
12 January 2024

Badges

😄 Trended👾 Exploit Exists🔴 Public PoC🟣 EPSS 96%📰 News Worthy

Summary

A command injection vulnerability has been discovered in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild by a suspected espionage threat actor. Several custom malware families, including web shells and a credential harvester, have been associated with the exploitation, indicating the threat actor's intent to maintain a presence on compromised targets. Ivanti has issued mitigations and is developing patches, with a significant increase in threat actor activity targeting the vulnerabilities since they were disclosed. More than 1,700 devices have been exploited worldwide, with global government and military departments, national telecommunications companies, and defense contractors among the victims. It is suspected that additional threat actors beyond the initial exploitation group may also have access to the exploit. Organizations are urged to implement mitigations immediately and apply patches as they are released to avoid potential exploitation.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-21887 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

ICS <= 9.1R18

ICS <= 22.6R2

IPS <= 9.1R18

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

EPSS Score

96% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability started trending.

  • Vulnerability published.

  • First article discovered by Bleeping Computer

  • 👾

    Exploit exists.

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre DatabaseCISA Database7 Proof of Concept(s)53 News Article(s)
.