Skip to content

2024-004: Critical Vulnerabilities in Ivanti Connect Secure

Table of Contents

On January 10, 2024, Ivanti has released an advisory about two critical vulnerabilities in Ivanti Connect Secure (ICS) and Policy Secure gateways. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited in the wild and can allow remote attackers to execute arbitrary commands on targeted gateways.

Technical Blog

Advisory: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

Published on January 11, 2024

On January 10, 2024, Ivanti released an important advisory regarding two critical vulnerabilities found in their popular products Connect Secure (ICS) and Policy Secure gateways. Attackers have already exploited these vulnerabilities, which are known as CVE-2023-46805 and CVE-2024-21887, and can potentially result in the execution of arbitrary commands on targeted gateways.

Technical Details

The first vulnerability, CVE-2023-46805, is classified with a CVSS score of 8.2. This vulnerability enables an authentication bypass in the gateways' web component, allowing attackers to access restricted resources without proper authorization.

The second vulnerability, CVE-2024-21887, has a CVSS score of 9.1. It is a command injection vulnerability that enables authenticated administrators to execute arbitrary commands on vulnerable appliances by sending specially crafted requests.

When combined, these two vulnerabilities allow attackers to run arbitrary commands on all supported versions of the impacted products, without requiring authentication.

Affected Products

The vulnerabilities impact all supported versions of Ivanti Connect Secure (ICS) and Policy Secure gateways.


While Ivanti is working on releasing the patches, CERT-EU recommends applying the workaround mitigation.release.20240107.1.xml and running the external Integrity Checker Tool (ICT) as soon as possible [3].


Until the patches are made available, users can mitigate the zero-day vulnerabilities by importing the mitigation.release.20240107.1.xml file provided through Ivanti's download portal [3]. Additionally, to counteract observed attempts by threat actors to manipulate Ivanti's internal integrity checker (ICT), it is advisable for customers to run the external ICT [3].


  1. Ivanti Connect Secure Zero-Day Vulnerabilities
  2. CVE-2023-46805 Authentication Bypass, CVE-2024-21887 Command Injection in Connect Secure and Policy Secure Gateways
  3. Ivanti Gateway Vulnerability Mitigation

```htmlMITRE ATT&CK Matrix Advisory Analysis

MITRE ATT&CK Matrix from Ivanti Advisory

Advisory Date: January 10, 2024

Critical Vulnerabilities: CVE-2023-46805 and CVE-2024-21887


ATT&CK Tactic Technique Sub-Technique
Initial Access Exploit Public-Facing Application
Execution Command and Scripting Interpreter
Command and Scripting Interpreter: Unix Shell
Defense Evasion Subvert Trust Controls
Subvert Trust Controls: Gatekeeper Bypass


ATT&CK Tactic Technique Sub-Technique
- - -
No specific mobile techniques mentioned in the advisory.


ATT&CK Tactic Technique Sub-Technique
Exploitation for Evasion Exploit Public-Facing Application


Mitigation Technique Description
Update Software Import the mitigation.release.20240107.1.xml file available via Ivanti's download portal.
Application Isolation and Sandboxing Run the external Integrity Checker Tool (ICT) to validate the integrity of Ivanti gateways.


``` In the constructed matrix above, specific ATT&CK tactics and techniques have been assigned to the vulnerabilities listed in the advisory. It is important to note that these mappings are not exhaustive and serve as potential categorizations based on the provided information. Sub-techniques have also been added where appropriate, but some entries do not have corresponding sub-techniques listed in the advisory. The Mobile section does not include specific techniques as the advisory does not provide Mobile-specific information. The mitigations section includes the advised immediate actions to address the vulnerabilities, as per the linked references.

This post was generated entirely by an AI language model. Source: CERT EU