CVE-2023-46805

CVE-2023-46805 is a high-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 8.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-01-10). The underlying weakness is classified as CWE-287.

Key facts

Description

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2023-46805: Ivanti Connect Secure and Policy Secure Authentication Bypass

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2023-46805
CVSS v3.1 8.2 (HIGH)
EPSS 0.99986 (99.98th percentile)
KEV Listed (2024-01-10)
CWE CWE-287 – Improper Authentication
Attack Vector Network / Low Complexity / No Privileges / No Interaction

Summary

CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure. A remote, unauthenticated attacker can bypass control checks to access restricted resources, effectively degrading the appliance's authentication boundary.

Background

Ivanti Connect Secure and Policy Secure are SSL-VPN and network access control (NAC) gateways widely deployed at the edge of enterprise networks. Because they terminate remote user sessions and provide privileged access to internal resources, any authentication bypass on these appliances has outsized impact. This vulnerability was disclosed in January 2024 alongside CVE-2024-21887 (a command-injection flaw), and the two are frequently chained by threat actors to achieve unauthenticated remote code execution.

Root Cause

The vulnerability is classified under CWE-287: Improper Authentication. The web component fails to enforce authentication controls on certain restricted endpoints or paths, allowing requests to reach protected resources without valid session credentials. This is a control-logic flaw rather than a memory corruption bug, meaning it is reliably exploitable and does not depend on complex heap shaping or brute-force techniques.

Impact

The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, yielding a base score of 8.2 (HIGH).

  • Confidentiality Impact: HIGH — Unauthenticated access to restricted resources can expose sensitive configuration data, session tokens, or internal services.
  • Integrity Impact: LOW — Depending on the endpoint reached, the attacker may be able to modify limited settings or stage further exploitation.
  • Availability Impact: NONE — The vulnerability does not directly cause denial of service.

Real-world impact is amplified because these appliances are edge-facing VPN concentrators. Successful exploitation often provides a foothold inside the perimeter with legitimate user-like access.

Exploitation Walkthrough

Ethics caveat: This section describes the vulnerability conceptually for defensive purposes only. No working exploit code is provided, and readers should use this knowledge to improve detection and patching, not to attack systems without authorization.

The attack is typically carried out as follows:

  1. Reconnaissance — The attacker identifies an affected Ivanti Connect Secure or Policy Secure appliance exposed to the internet (commonly on TCP 443).
  2. Path/Control Bypass — The attacker sends a crafted HTTP request to an endpoint that should require authentication. Due to the improper authentication check, the appliance processes the request as if it were from a legitimate session.
  3. Resource Access — Depending on the endpoint, the attacker may retrieve internal files, configuration backups, or session information.
  4. Chaining — In the wild, this bypass is frequently chained with CVE-2024-21887 to inject commands and achieve remote code execution with root-level privileges on the appliance.

Defensive teams should assume that any unpatched, internet-facing appliance has already been probed and potentially compromised.

Affected and Patched Versions

Affected products:

  • Ivanti Connect Secure 9.x
  • Ivanti Connect Secure 22.x
  • Ivanti Policy Secure 9.x
  • Ivanti Policy Secure 22.x

Specific patch releases were made available by Ivanti in January 2024. Refer to the Ivanti security advisory for the exact patched versions and supported upgrade paths.

Remediation

  1. Upgrade immediately — Apply the vendor-provided firmware or software patches for Ivanti Connect Secure and Policy Secure as listed in the official advisory.
  2. Compensating controls — If immediate patching is not feasible:
    • Restrict management and user portal access to known IP ranges via upstream firewall rules.
    • Enable multi-factor authentication (MFA) for all VPN accounts to limit the value of any stolen session data.
    • Monitor appliance logs for anomalous access patterns to restricted endpoints.
  3. Post-exploitation hygiene — Because CISA confirmed active exploitation, assume compromise if the appliance was unpatched and internet-facing. Rotate credentials, review VPN session logs, and inspect for unexpected administrative accounts or configurations.

Detection

  • Network — Monitor inbound HTTP/HTTPS traffic to the appliance for unusual URI patterns or sequences that bypass authentication controls. Correlation with known exploit signatures for CVE-2023-46805 can help flag probing activity.
  • Endpoint/Appliance — Review Ivanti appliance logs for unauthorized access to administrative or restricted endpoints, especially from unexpected source IPs.
  • Threat Intelligence — Monitor CISA KEV updates and vendor threat briefings for IOCs associated with this vulnerability.

Assessment

This vulnerability carries an EPSS score of 0.99986 (99.98th percentile), indicating an extremely high probability of active exploitation. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2024-01-10, and EU exploitation tracking confirms in-the-wild abuse since the same date.

Key lessons:

  1. Edge appliances are high-value targets — VPN and NAC gateways consolidate trust; a single authentication bypass can collapse perimeter security.
  2. Vulnerability chaining magnifies risk — CVE-2023-46805 alone is serious, but its combination with CVE-2024-21887 demonstrates how an auth bypass can escalate to full appliance compromise. Patching timelines for VPN infrastructure should be measured in hours, not days.

References

Frequently asked questions

What is CVE-2023-46805?
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
How severe is CVE-2023-46805?
CVE-2023-46805 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
Is CVE-2023-46805 being actively exploited?
Yes. CVE-2023-46805 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-01-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-46805?
CVE-2023-46805 primarily affects Ivanti Connect Secure. In total, 81 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-46805?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-46805 have an EU (EUVD) identifier?
Yes. CVE-2023-46805 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-50971. It is also flagged as exploited in the EUVD (since 2024-01-10).
When was CVE-2023-46805 published?
CVE-2023-46805 was published on 2024-01-12 and last updated on 2026-06-17.

References

Affected products (81)

More vulnerabilities in Ivanti Connect Secure

All CVEs affecting Ivanti Connect Secure →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →