NAVANEM
CVE-2024-21887⚡ exploited in the wild

Ivanti Connect Secure / Policy Secure, authenticated command injection in web components

A command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Overview

CVE-2024-21887 is a critical command injection vulnerability affecting the web components of Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure appliances. The flaw allows an authenticated administrator to execute arbitrary commands on the underlying operating system by sending specially crafted requests to the administrative web interface. When chained with CVE-2023-46805 (an authentication bypass vulnerability), attackers can achieve unauthenticated pre-authentication remote code execution (RCE), making this combination extremely dangerous.

This vulnerability chain became one of the most significant edge-device compromises of 2024, with mass exploitation occurring from January through mid-2024.

Technical Details

Multiple endpoints in the Connect Secure and Policy Secure administrative web interface pass user-supplied input directly into shell contexts without proper sanitization. This allows injection of arbitrary shell commands that execute with the privileges of the appliance service account.

The attack chain works as follows:

  1. Attacker exploits CVE-2023-46805 to bypass authentication requirements
  2. Attacker then leverages CVE-2024-21887 to inject and execute arbitrary commands
  3. Commands run as the appliance service account, typically yielding root-level access

Volexity attributed early pre-disclosure exploitation to threat actor UTA0178 (a state-aligned, China-linked group) beginning December 3, 2023. Following the January 10, 2024 public advisory, mass scanning began immediately, with Mandiant tracking at least five distinct threat actor clusters deploying web shells, the GLASSTOKEN backdoor, and credential-harvesting tools.

Impact

Successful exploitation yields root access on the appliance, which typically sits at the network perimeter with privileged routes into internal networks and access to Active Directory via stored LDAP bind credentials. Compromised appliances expose organizations to:

  • Complete network boundary compromise
  • Credential theft (AD bind accounts, RADIUS secrets, SAML signing keys)
  • Persistent backdoor access via web shells
  • Lateral movement into internal networks

CISA issued Emergency Directive 24-01, ordering federal agencies to disconnect affected Ivanti appliances by February 2, 2024.

Mitigation

  1. Patch immediately: Upgrade to Connect Secure 9.1R18.3, 22.5R2.2, 22.6R2.2 or later
  2. Run Integrity Checker Tool (ICT): Execute both external CLI and built-in ICT 2.0 post-patching
  3. Assume compromise: Rebuild appliances from known-clean OVA images
  4. Rotate all credentials: AD bind accounts, RADIUS secrets, SAML signing keys
  5. Review SAML IdP logs: Check for unauthorized assertions during the exposure window
  6. Isolate or decommission: If immediate patching/rebuilding is impossible

Detection

Organizations should run the Ivanti Integrity Checker Tool against all appliances. Monitor for indicators of compromise including unexpected web shells, the GLASSTOKEN backdoor, and anomalous outbound connections. Review authentication logs for suspicious administrative access patterns and check for unauthorized SAML assertions.