CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-21887

Critical Severity
Ivanti
SVRS
89/100
CVSSv3
9.1/10
EPSS
0.94416/1

CVE-2024-21887 is a critical command injection vulnerability affecting Ivanti Connect Secure and Policy Secure. This flaw allows authenticated administrators to execute arbitrary commands via specially crafted requests. With an extremely high SOCRadar Vulnerability Risk Score (SVRS) of 89, this CVE demands immediate attention and remediation. Due to its high SVRS, this vulnerability is considered critical, surpassing even the base CVSS score in indicating immediate risk. Attackers can exploit this vulnerability to gain full control of affected systems. Given that active exploits are available and it's listed in the CISA KEV catalog, organizations using vulnerable Ivanti products must patch immediately to prevent potential breaches and data compromise. The ability to execute arbitrary commands makes this a severe threat, potentially leading to complete system takeover.

TAGS
In The Wild
Exploit Avaliable
CISA KEV
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:H
UI:N
S:C
C:H
I:H
A:H
PUBLICATION DATE2024-01-12
LAST MODIFIED2025-02-12

Indicators of Compromise

TypeIndicatorDate
IP
134.209.30.2202024-10-04
IP
138.68.90.192024-10-04
IP
167.99.202.1302024-10-04
IP
192.252.183.1162024-01-20
HASH
31a5f4ceae1e45e1a3cd30f5d7604d892024-01-20
HASH
d9a10f4568b649acae7bc2fe51fb5a982024-01-20
URL
https://abode-dashboard-media.s3.ap-south-1.amazonaws.com/kaffMm40RNtkg2024-01-20

Exploits

TitleSoftware LinkDate
Marco-zcl/POChttps://github.com/Marco-zcl/POC2024-02-16
lions2012/Penetration_Testing_POChttps://github.com/lions2012/Penetration_Testing_POC2024-02-07
Chocapikk/CVE-2024-21893-to-CVE-2024-21887https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-218872024-02-03
Ostorlab/KEVhttps://github.com/Ostorlab/KEV2022-04-19
imhunterand/CVE-2024-21887https://github.com/imhunterand/CVE-2024-218872024-02-09
xingchennb/POC-https://github.com/xingchennb/POC-2024-01-26
wy876/POChttps://github.com/wy876/POC2023-08-19
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

2025 Ransomware: Business as Usual, Business is Booming
Chris Boyd2025-04-08
2025 Ransomware: Business as Usual, Business is Booming | Rapid7 Labs took a look at internal and publicly-available ransomware data for Q1 2025 and added our own insights to provide a picture of the year thus far—and what you can do now to reduce your attack surface against ransomware.Getting an edge on your adversaries involves understanding their behaviors and their mindset. Rapid7 Labs took a look at internal and publicly-available ransomware data for Q1 2025 and added our
rapid7.com
rss
forum
news
Ivanti Connect Secure VPN Exploitation: New Observations
Volexity2025-04-01
Ivanti Connect Secure VPN Exploitation: New Observations | On January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805. In that blog post, Volexity detailed broader scanning and exploitation by threat actors using still non-public exploits to compromise numerous devices. The following day, January 16, 2024, proof-of-concept code for the exploit was made public. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning the same day. Additionally, Volexity has continued its investigation into activity conducted
volexity.com
rss
forum
news
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
CISA2025-04-01
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government
us-cert.gov
rss
forum
news
Exploitation Observed: Ivanti Connect Secure ? CVE-2023-46805 and CVE-2024-21887
Noam Atias & Sam Tinklenberg2025-04-01
Exploitation Observed: Ivanti Connect Secure ? CVE-2023-46805 and CVE-2024-21887
feedburner.com
rss
forum
news
ISC StormCast for Tuesday, January 16th, 2024
Dr. Johannes B. Ullrich2024-01-16
ISC StormCast for Tuesday, January 16th, 2024 | Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Malware Obfuscation; Ivanti Updates; NVidia Firmware Vuln; GitLab Vuln;One File, Two Payloads https://isc.sans.edu/diary/One%20File%2C%20Two%20Payloads/30558 Ivanti Vulnerability Updates https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/ NVidia DGX H100 and A100 Updates https://nvidia.custhelp.com/app/answers/detail/a_id/5510 GitLab Vulnerability
sans.edu
rss
forum
news
ISC StormCast for Tuesday, January 23rd, 2024
Dr. Johannes B. Ullrich2024-01-23
ISC StormCast for Tuesday, January 23rd, 2024 | Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Apple Updates; Atlassian Confluence Exploited; Ivanti Mitigation Problems; Czech IPv4 Shutdown DateApple Updates Everything https://isc.sans.edu/forums/diary/Apple%20Updates%20Everything%20-%20New%200%20Day%20in%20WebKit/30578/ Atlassian Confluence RCE Vulnerability Exploits CVE-2023-22527 https://isc.sans.edu/forums/diary/Scans%20Exploit%20Attempts%20for%20Atlassian%20Confluence%20RCE%20Vulnerability%20CVE-2023-22527/30576/ Updated Ivanti Mitigation Advise https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US Czech Republic Sets IPv4 Shutdown date<br
sans.edu
rss
forum
news
Ivanti vulnerabilties – recap
admin2025-04-01
Ivanti vulnerabilties – recap | Formerly known as Pulse Connect Secure, or simply Pulse Secure VPN software All supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure are vulnerable to CVE-2023-46805 and CVE-2024-21887 CVE-2023-46805 an authentication-bypass vulnerability with a CVSS score of 8.2 in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows a remote attacker to access restricted resources by bypassing control checks. CVE-2024-21887 a command
vanimpe.eu
rss
forum
news

Social Media

RT @AustinLarsen_: Our team @Mandiant is releasing details on 🇨🇳 #UNC5325, who exploited CVE-2024-21893 and CVE-2024-21887 to deploy novel…
0
95
0
- CVE-2023-46805/CVE-2024-21887 – Ivanti Secure Connect VPN - CVE-2023-48788 – Fortinet FortiClient EMS - CVE-2022-3236 – Sophos Firewall - Multiple CVEs for Microsoft Exchange relating to ProxyLogon Attack - Vulnerabilities in Apache Tomcat present in QConvergeConsole
1
0
0
Actively exploited CVE : CVE-2024-21887
1
0
0
CVE-2024-21887 and More: How Earth Estries APT Group Exploits VPNs &amp; Servers Learn about the Earth Estries APT group, a significant cyber espionage actor targeting critical sectors and industries worldwide. https://t.co/yAoI34DRVW
0
1
1
🗣 CVE-2024-21887 and More: How Earth Estries APT Group Exploits VPNs &amp; Servers https://t.co/yxmBUgqeJl
0
0
0
CVE-2024-21887 \[[Vulners](https://t.co/V3EhPiYk4w)] - CVSS V3.1: *9.1*, - Vulners: Exploitation: True Soft: - ivanti connect secure (9.0, 9.1, 22.1, 22.2, 22.3) - ivanti policy secure (9.0, 9.1, 22.1, 22.2, 22.3)
1
0
0
The most frequently targeted vulnerability in ransomware attacks over the past 12 months was CVE-2023-4966 in Citrix NetScaler. https://t.co/s0K2A8rs3F Other frequently targeted CVEs included CVE-2023-3519 in Citrix ADC and Gateway; CVE-2024-21887in Ivanti Connect Secure and
0
0
0
🚨 #CISA adds #Ivanti CSA vulnerability to KEV catalog: 🔑 CVE-2024-21887 - Authentication bypass flaw 🌐 Affects Ivanti Connect Secure &amp; Policy Secure ⚠️ Actively exploited in the wild 🛠️ #CyberSecurity #VulnerabilityManagement #InfoSec https://t.co/Id54YL0vmq
0
0
0
ProxDoor is an unknown passive backdoor implanted in Ivanti appliances likely exploited via CVE-2023-46805 and CVE-2024-21887.
0
0
0
Actively exploited CVE ID, source in the thread (generated, not vetted) CVE-2024-21887
1
0
0

Affected Software

Configuration 1
TypeVendorProduct
AppIvanticonnect_secure
AppIvantipolicy_secure

References

ReferenceLink
[email protected]https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
[email protected]http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
[email protected]https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
GITHUBhttp://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
AF854A3A-2127-422B-91AE-364DA2661108http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
AF854A3A-2127-422B-91AE-364DA2661108https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
[email protected]http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
[email protected]https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
GITHUBhttp://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html

CWE Details

CWE IDCWE NameDescription
CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence