NAVANEM
CVE-2023-46805⚡ exploited in the wild

Ivanti Connect Secure, web component authentication bypass (paired with CVE-2024-21887)

An authentication bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Overview

CVE-2023-46805 is a critical authentication bypass vulnerability affecting Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure gateway appliances. The vulnerability exists in the web component of these products and allows remote attackers to access restricted resources by bypassing authentication control checks.

This vulnerability became infamous as one half of a devastating attack chain when paired with CVE-2024-21887 (an authenticated command injection vulnerability). Together, these two vulnerabilities enable unauthenticated remote code execution with root privileges on affected appliances. Mass exploitation began in January 2024, prompting emergency response actions across government and private sectors.

Technical Details

The vulnerability stems from a missing authorization check on selected endpoints within the Connect Secure web UI. This flaw allows network attackers to reach administrator-only paths without providing valid credentials.

While CVE-2023-46805 alone results in information disclosure and unauthorized access to restricted resources, its true danger emerges when chained with CVE-2024-21887. The authentication bypass allows attackers to reach the authenticated command injection endpoint, converting what would require valid admin credentials into a fully unauthenticated attack path to root-level compromise.

First exploitation was observed by Volexity, attributed to threat actor UTA0178 on December 3, 2023, over a month before public disclosure.

Impact

The impact of this vulnerability chain is severe. Successful exploitation grants attackers complete control over the appliance with root privileges. Connect Secure appliances typically contain:

  • Privileged Active Directory bind accounts
  • SAML signing material
  • Direct network routes into internal LANs

Following the January 10, 2024 advisory, at least five distinct threat actor clusters were observed exploiting this chain, deploying webshells including BUSHWALK, CHAINLINE, and FRAMESTING, along with credential stealers. The severity prompted CISA Emergency Directive 24-01, which ordered federal agencies to disconnect affected appliances by February 2, 2024.

Mitigation

Organizations should take the following actions:

  1. Apply patches immediately: Connect Secure 9.1R18.3, 22.5R2.2, or 22.6R2.2 and later versions address this vulnerability
  2. Run both Integrity Checker Tools (external CLI and built-in ICT 2.0)
  3. Treat any Internet-exposed appliance from the exploitation window as compromised, rebuild from clean OVA
  4. Rotate all sensitive credentials: AD bind accounts, RADIUS secrets, SAML signing certificates, and locally-defined admin accounts

Detection

Organizations should utilize Ivanti's Integrity Checker Tools to detect signs of compromise. Both the external CLI version and the built-in ICT 2.0 should be executed. Network monitoring for connections to known malicious infrastructure and filesystem analysis for webshell artifacts (BUSHWALK, CHAINLINE, FRAMESTING) are recommended for environments that were exposed during the exploitation window.