Explaining Exploits: Ivanti Connect Secure

Twelve days ago two new 0 Day exploits were released for Ivanti Connect Secure (ICS) which was formerly Pulse Connect Secure.

CVE-2023-46805 - A high severity authentication bypass in the web component.

CVE-2024-21887- A critical severity command injection in the web component that can be used to execute commands by an authenticated user.

A remote attacker can send a GET request to the target API endpoint with a reverse shell attached to exploit both vulnerabilities simultaneously and establish a connection to run commands on the target system.

This affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.

Remediation:

Ivanti does not have patches readily available to address these vulnerabilities. However, they have released a mitigation file (mitigation.release.20240107.1.xml) for customers to utilize in the mean time until patches are released. Ivanti stated that patches are begin being released this week.

Stay tuned to the explaining exploits series to be prepared for the latest attacks.