Cyber Resilience

CVE-2024-21887

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 12 January 2024

Published
12 January 2024
Modified
31 October 2025
KEV Added
10 January 2024
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9441 100.0th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21887 is a critical-severity Command Injection (CWE-77) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-21887 is a command injection vulnerability (CWE-77) residing in the web components of Ivanti Connect Secure and Ivanti Policy Secure appliances running versions 9.x and 22.x. An authenticated administrator can submit specially crafted requests that result in arbitrary command execution on the underlying appliance, reflected in the CVSS 9.1 score indicating network-accessible impact with high consequences to confidentiality, integrity Availability, and scope.

An authenticated administrator can leverage the flaw to run operating-system commands on the gateway appliance, potentially leading to full device compromise. Public references also document chaining with the related authentication-bypass issue CVE-2023-46805, enabling unauthenticated remote code execution in some deployments.

Ivanti’s advisory and CISA’s Known Exploited Vulnerabilities catalog both list the issue, underscoring the need for immediate application of vendor patches. Packet Storm has published exploit code demonstrating the vulnerability.

The EPSS score has reached a peak of 0.9733 with a current value of 0.9441, indicating sustained and widespread exploitation interest following disclosure.

EU & UK References

Vulnerability details

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

CWE(s)
KEV Date Added
10 January 2024

Related Threats

Threat-Actor AttributionAI

UNC5221aka UTA0178
Mandiant and Volexity attribute exploitation of CVE-2024-21887 (with CVE-2023-46805) to UNC5221/UTA0178 in espionage campaigns against Ivanti appliances.

Affected Assets

ivanti
connect secure
22.1, 22.2, 22.3, 22.4, 22.5
ivanti
policy secure
22.1, 22.2, 22.3, 22.4, 22.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs to the web interface, blocking the specially crafted requests that trigger command injection under CWE-77.

prevent

Mandates timely application of vendor patches that remediate the command-injection flaw in the Ivanti web components.

prevent

Restricts the set of privileged operations an authenticated administrator account can perform, limiting the impact even if a crafted request reaches the vulnerable code path.

References