Cyber Resilience

CVE-2024-21893

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 31 January 2024

Published
31 January 2024
Modified
30 October 2025
KEV Added
31 January 2024
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.9432 100.0th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21893 is a high-severity SSRF (CWE-918) vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2024-21893 is a server-side request forgery vulnerability (CWE-918) residing in the SAML component of Ivanti Connect Secure versions 9.x and 22.x, Ivanti Policy Secure versions 9.x and 22.x, and Ivanti Neurons for ZTA. The flaw carries a CVSS 3.1 score of 8.2 and permits an unauthenticated attacker to reach restricted resources that should otherwise be inaccessible.

An attacker can exploit the issue over the network without credentials or user interaction to issue crafted requests from the affected server, resulting in high-impact confidentiality exposure combined with limited integrity effects. Because the vulnerability requires no authentication, remote adversaries, including automated scanners and threat actors, can target exposed Ivanti appliances directly.

Ivanti security advisories referenced in the supplied links address related issues in the same product families and direct customers to apply vendor-supplied patches. The CVE is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming that mitigation through updates or compensating controls is required for affected deployments.

The associated EPSS score has reached a peak of 0.9640 with a current value of 0.9432, indicating sustained and widespread exploitation interest following disclosure.

EU & UK References

Vulnerability details

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

CWE(s)
KEV Date Added
31 January 2024

Related Threats

Threat-Actor AttributionAI

UNC5221 (G0125)aka Silk Typhoon
Mandiant and Microsoft attributed mass exploitation of the 2024 Ivanti Connect Secure zero-day chain (incl. CVE-2024-21893 SSRF) to UNC5221 / Silk Typhoon espionage operations.

Affected Assets

ivanti
connect secure
21.12, 21.9, 22.1, 22.2, 22.3
ivanti
policy secure
22.1, 22.2, 22.3, 22.4, 22.5
ivanti
neurons for zero-trust access
22.2, 22.3, 22.4, 22.5, 22.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow rules that directly block the unauthorized server-initiated requests to internal resources enabled by this SAML SSRF flaw.

prevent

Requires explicit access enforcement decisions before any resource is retrieved, stopping the unauthenticated SSRF access path described in CVE-2024-21893.

prevent

Validates URL and request parameters supplied to the SAML component, preventing the malicious input that triggers the SSRF to restricted resources.

References