CVE-2024-21887
CVE-2024-21887 is a critical-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 9.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-01-10). The underlying weakness is classified as CWE-77.
Key facts
- Severity: Critical (CVSS 3.x base score 9.1)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-01-10)
- EU (EUVD) id: EUVD-2024-19498
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-01-10)
- Weakness: CWE-77
- Affected product: Ivanti Connect Secure
- Published:
- Last modified:
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
CVE-2024-21887: Ivanti Connect Secure and Policy Secure Command Injection
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-21887 |
| CVSS v3 | 9.1 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-77: Command Injection |
| EPSS | 0.99999 (99.999th percentile) |
| KEV | Yes (CISA KEV, added 2024-01-10) |
| Published | 2024-01-12 |
| Affected Products | Ivanti Connect Secure 9.x, 22.x; Ivanti Policy Secure 9.x, 22.x |
Summary
CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure and Ivanti Policy Secure. An authenticated administrator can send specially crafted requests that result in arbitrary command execution on the underlying appliance.
Background
Ivanti Connect Secure (formerly Pulse Secure Connect) is a widely deployed SSL VPN appliance that provides remote access to enterprise networks. Ivanti Policy Secure is a complementary network access control (NAC) solution. Both products expose web-based management interfaces for administrative configuration. Because these appliances sit at the network edge and terminate privileged remote-access sessions, they are high-value targets for threat actors.
Root Cause
The vulnerability is classified as CWE-77: Command Injection. User-controllable input from authenticated web requests is passed to an underlying system shell without adequate sanitization or parameterization. This allows an attacker to inject shell metacharacters and execute arbitrary operating-system commands with the privileges of the web service process.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H yields a score of 9.1 (Critical).
- Attack Vector (AV:N): The vulnerability is exploitable over the network via the web interface.
- Attack Complexity (AC:L): Low complexity; no advanced conditions or race windows are required.
- Privileges Required (PR:H): The attacker must hold valid administrator credentials. While this limits the attack surface to insider or compromised-admin scenarios, the resulting impact is total.
- User Interaction (UI:N): No victim interaction is needed.
- Scope (S:C): A successful compromise can affect resources beyond the security scope of the vulnerable web component, because arbitrary command execution on the appliance allows lateral movement, traffic interception, and credential harvesting.
- Confidentiality, Integrity, Availability (C:H/I:H/A:H): Full command execution equates to complete compromise of the appliance.
Exploitation Walkthrough
Ethics caveat: This section is intended for defensive analysis and detection engineering only. Do not attempt to exploit this vulnerability against systems you do not own or have explicit authorization to test.
From a defensive perspective, exploitation proceeds as follows:
- Authentication: The attacker authenticates to the appliance's web management interface using valid administrator credentials. This may occur through compromised credentials, credential stuffing, or session hijacking.
- Request crafting: The attacker navigates to a web endpoint that accepts user input and passes that input to a backend shell command. The attacker injects shell metacharacters (for example, semicolons, backticks, or pipe characters) into the request parameters.
- Command execution: The backend application constructs a shell command string that includes the attacker's input. Because the input is not properly escaped or parameterized, the shell interprets the injected metacharacters as command separators, executing the attacker's supplied commands.
- Post-exploitation: With operating-system access, the attacker can read configuration files, extract VPN session cookies, install persistence mechanisms, proxy traffic into the internal network, or move laterally to adjacent infrastructure.
Defenders should focus on hardening admin access, enforcing multi-factor authentication, and monitoring for anomalous command-line activity originating from the appliance process.
Affected and Patched Versions
Affected versions (based on available CPE data):
- Ivanti Connect Secure: 9.0, 9.1 (r1 through r18), 22.1 (r1, r6), 22.2, 22.3 (r1), 22.4 (r1, r2.1), 22.5 (r2.1), 22.6 (r1, r2)
- Ivanti Policy Secure: 9.0, 9.1 (r1 through r18), 22.1 (r1, r6), 22.2 (r1, r3), 22.3 (r1, r3), 22.4 (r1, r2, r2.1), 22.5 (r1, r2.1), 22.6 (r1)
Patched versions are not specified in the available source data. Organizations should consult the Ivanti security advisory referenced below for the latest patched releases and deployment guidance.
Remediation
- Patch immediately: Because this vulnerability is actively exploited (CISA KEV) and carries a near-maximum EPSS score, treat patching as an emergency change. Apply the latest vendor-released firmware for Connect Secure and Policy Secure as soon as it is validated in your environment.
- Compensating controls:
- Restrict administrative access to the management interface to a dedicated, tightly controlled jump host or out-of-band management network.
- Enforce strong, unique administrator credentials and phishing-resistant multi-factor authentication (MFA) for all admin accounts.
- Deploy a Web Application Firewall (WAF) or reverse proxy in front of the management interface with rules that detect common command-injection patterns.
- Disable or remove unused administrative accounts and features.
Detection
- Monitor web server and appliance logs for unusual administrator requests that contain shell metacharacters or unexpected parameter values.
- Correlate endpoint or host-based telemetry from the appliance for anomalous process spawning, unexpected outbound network connections, or file-system modifications initiated by the web service process.
- Review authentication logs for logins from unfamiliar source IPs or atypical times, which may indicate compromised administrator credentials.
- If the appliance supports integrity monitoring, alert on unauthorized changes to system binaries or configuration files.
Assessment
CVE-2024-21887 presents an exceptionally high risk in practice. The EPSS score of 0.99999 places it in the top exploitation probability tier, and its inclusion in the CISA Known Exploited Vulnerabilities catalog with an exploitation start date of 2024-01-10 confirms in-the-wild abuse. When combined with the adjacent authentication-bypass vulnerability CVE-2023-46805, the effective privileges required can drop from "High" to "None," making this a full unauthenticated remote-code-execution chain.
Key lessons:
- Edge appliances are crown-jewel targets. A command-injection flaw in a VPN gateway management interface is not merely a local admin issue; it is a direct path to full network compromise.
- High EPSS + KEV = emergency patching. Waiting for a standard maintenance window is not advisable when exploitation is statistically certain and already observed in the wild. Organizations should have an emergency patch procedure for network-edge devices.
References
- http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887
Frequently asked questions
- What is CVE-2024-21887?
- A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- How severe is CVE-2024-21887?
- CVE-2024-21887 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-21887 being actively exploited?
- Yes. CVE-2024-21887 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-01-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-21887?
- CVE-2024-21887 primarily affects Ivanti Connect Secure. In total, 81 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-21887?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-21887 have an EU (EUVD) identifier?
- Yes. CVE-2024-21887 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19498. It is also flagged as exploited in the EUVD (since 2024-01-10).
- When was CVE-2024-21887 published?
- CVE-2024-21887 was published on 2024-01-12 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887
Affected products (81)
- cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r11.4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r12.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r13:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r13.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r14:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r15:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r15.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r16:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r16.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r17:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r17.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r18:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r8.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r8.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r9.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.1:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.1:r6:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.2:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.2:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.3:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.4:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.4:r2.1:*:*:*:*:*:*
More vulnerabilities in Ivanti Connect Secure
- CVE-2021-22893 — Critical (CVSS 10.0): Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the…
- CVE-2019-11510 — Critical (CVSS 10.0): In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an…
- CVE-2016-4787 — Critical (CVSS 10.0): Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote…
- CVE-2025-22467 — Critical (CVSS 9.9): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker…
- CVE-2024-21894 — Critical (CVSS 9.8): A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows…
- CVE-2018-20813 — Critical (CVSS 9.8): An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2.
All CVEs affecting Ivanti Connect Secure →
Other CWE-77 (Command Injection) vulnerabilities
- CVE-2026-23652 — Critical (CVSS 10.0): Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an…
- CVE-2025-59818 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file…
- CVE-2025-64093 — Critical (CVSS 10.0): Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the…
- CVE-2025-64090 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
- CVE-2025-61492 — Critical (CVSS 10.0): A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to…
- CVE-2025-10035 — Critical (CVSS 10.0): A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged…