CVE-2024-21887
Published: 12 January 2024
Summary
CVE-2024-21887 is a critical-severity Command Injection (CWE-77) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-21887 is a command injection vulnerability (CWE-77) residing in the web components of Ivanti Connect Secure and Ivanti Policy Secure appliances running versions 9.x and 22.x. An authenticated administrator can submit specially crafted requests that result in arbitrary command execution on the underlying appliance, reflected in the CVSS 9.1 score indicating network-accessible impact with high consequences to confidentiality, integrity Availability, and scope.
An authenticated administrator can leverage the flaw to run operating-system commands on the gateway appliance, potentially leading to full device compromise. Public references also document chaining with the related authentication-bypass issue CVE-2023-46805, enabling unauthenticated remote code execution in some deployments.
Ivanti’s advisory and CISA’s Known Exploited Vulnerabilities catalog both list the issue, underscoring the need for immediate application of vendor patches. Packet Storm has published exploit code demonstrating the vulnerability.
The EPSS score has reached a peak of 0.9733 with a current value of 0.9441, indicating sustained and widespread exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19498
Vulnerability details
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- CWE(s)
- KEV Date Added
- 10 January 2024
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to the web interface, blocking the specially crafted requests that trigger command injection under CWE-77.
Mandates timely application of vendor patches that remediate the command-injection flaw in the Ivanti web components.
Restricts the set of privileged operations an authenticated administrator account can perform, limiting the impact even if a crafted request reaches the vulnerable code path.