CVE-2024-21893

CVE-2024-21893 is a high-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 8.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-01-31). The underlying weakness is classified as CWE-918.

Key facts

Description

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

CVE-2024-21893: SSRF in Ivanti Connect Secure / Policy Secure / Neurons for ZTA SAML Component

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2024-21893
CWE CWE-918 — Server-Side Request Forgery (SSRF)
CVSS v3.1 8.2 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS 0.99999 (99.999th percentile)
KEV Listed — added 2024-01-31
EU Exploited Yes — since 2024-01-31
Published 2024-01-31
Last Modified 2026-06-17

Summary

A server-side request forgery (SSRF) vulnerability exists in the SAML single sign-on (SSO) component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access. An unauthenticated remote attacker can manipulate SAML-related requests to coerce the appliance into making outbound requests to attacker-controlled or internal endpoints, thereby gaining access to restricted resources without valid credentials.

Background

Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure are widely deployed SSL-VPN and network access-control appliances used by enterprises to provide remote-access and policy-enforcement capabilities. Ivanti Neurons for Zero Trust Access extends this architecture with cloud-native zero-trust connectivity. The SAML 2.0 SSO integration streamlines authentication by delegating identity verification to an external Identity Provider (IdP). Because the appliance must parse and act on SAML assertions and metadata, any insufficient validation of URLs embedded in SAML messages creates an SSRF surface.

Root Cause

CWE-918 — Server-Side Request Forgery (SSRF).

The SAML processing logic inadequately validates or sanitizes URLs extracted from SAML messages (for example, within AssertionConsumerServiceURL, Destination, or Issuer fields). When the appliance resolves these URLs to fetch metadata, validate signatures, or relay tokens, it performs the request with the appliance's own network privileges. An attacker who can supply a crafted SAML message—either directly or by manipulating the authentication flow—can redirect this server-side request to an arbitrary destination, including internal services, cloud metadata endpoints (e.g., 169.254.169.254), or other restricted resources.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N translates to:

  • Confidentiality Impact: HIGH — The attacker can read sensitive data from internal or restricted endpoints accessible to the appliance.
  • Integrity Impact: LOW — Limited ability to modify data on targeted internal services, depending on what the SSRF channel exposes.
  • Availability Impact: NONE — No direct denial-of-service effect is inherent in the vulnerability itself.
  • Exploitability: Trivial — Network-accessible, low complexity, no privileges or user interaction required.

Combined with an EPSS of 0.99999 and active exploitation confirmed by CISA's KEV catalog and EU vulnerability disclosure, this flaw presents a critical and immediate risk to exposed appliances.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: The following description is provided for defensive awareness and detection engineering only. No weaponized exploit code is included.

  1. Reconnaissance: The attacker identifies a publicly reachable Ivanti appliance with SAML SSO enabled (commonly exposed on TCP/443).
  2. SAML Message Injection: The attacker crafts or intercepts a SAML authentication request/response and embeds a malicious URL in a SAML field that the appliance resolves server-side.
  3. Server-Side Request Redirection: The appliance processes the SAML message and issues an HTTP/HTTPS request to the attacker-specified URL instead of the legitimate IdP endpoint.
  4. Data Exfiltration / Lateral Pivot: Depending on the targeted URL, the attacker may retrieve cloud instance metadata (AWS/Azure/GCP IMDS), scan internal subnets, or interact with unauthenticated internal APIs that trust the appliance's network position.

Because no authentication is required to trigger the vulnerable SAML parsing path, this vulnerability is wormable in environments where appliances are internet-facing.

Affected and Patched Versions

The following product lines and version ranges are affected based on CPE data in the NVD record:

  • Ivanti Connect Secure — 9.x (all releases including r1 through r18.2), 21.9, 21.12, 22.1 through 22.6
  • Ivanti Policy Secure — 9.x (all releases including r1 through r18.2), 22.1 through 22.6
  • Ivanti Neurons for Zero Trust Access — all versions through 22.6 (including 22.2, 22.3, 22.4, 22.5, 22.6)

Specific patched version information was not available in the source data at the time of writing. Administrators should consult the Ivanti Security Advisory and apply the latest vendor-recommended patches immediately.

Remediation

  1. Patch Immediately: Apply the latest security patches from Ivanti as soon as they are released. Given KEV status and active exploitation, patching is the highest priority.
  2. Network Segmentation: Restrict management and SAML callback interfaces to trusted IP ranges. Do not expose the SAML endpoint to the open internet unless strictly required.
  3. URL Validation / Allowlisting: If operating a custom IdP integration, enforce strict allowlists for SAML endpoint URLs and reject any unexpected destinations.
  4. Compensating Controls: Deploy a Web Application Firewall (WAF) or reverse proxy with SSRF-specific rules in front of the SAML endpoint. Monitor for anomalous outbound connections from the appliance.
  5. Credential Rotation: If exploitation is suspected, rotate any credentials or tokens accessible from the appliance's network segment (cloud metadata tokens, service accounts, API keys).

Detection

  • Network Monitoring: Alert on unexpected outbound connections originating from Ivanti appliances to internal IP ranges, cloud metadata endpoints (169.254.169.254), or unknown external hosts.
  • SAML Log Analysis: Review SAML request/response logs for unusual AssertionConsumerServiceURL, Destination, or Issuer values that do not match the configured IdP.
  • Endpoint Detection: Monitor the appliance filesystem for unauthorized file reads or writes that may follow successful SSRF exploitation.
  • Threat Intelligence: Correlate appliance IP addresses with known indicators of compromise (IOCs) associated with Ivanti exploitation campaigns (CISA Alert AA24-060A and related advisories).

Assessment

With an EPSS of 0.99999 and confirmed presence on CISA's Known Exploited Vulnerabilities catalog since January 31, 2024, CVE-2024-21893 is not merely theoretical—it is a actively exploited, high-impact SSRF affecting critical remote-access infrastructure. Organizations running unpatched Ivanti appliances face a near-certain risk of compromise if the SAML endpoint is reachable by attackers.

Key lessons:

  1. SSRF in SSO pipelines is high-leverage: Any component that parses external URLs must implement strict validation and deny-by-default behavior.
  2. Internet-facing appliances are prime targets: Remote-access VPNs and zero-trust gateways sit at the perimeter and attract continuous attacker attention; aggressive patch cadences are non-negotiable.

References

Frequently asked questions

What is CVE-2024-21893?
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
How severe is CVE-2024-21893?
CVE-2024-21893 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
Is CVE-2024-21893 being actively exploited?
Yes. CVE-2024-21893 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-01-31, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-21893?
CVE-2024-21893 primarily affects Ivanti Connect Secure. In total, 118 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-21893?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-21893 have an EU (EUVD) identifier?
Yes. CVE-2024-21893 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19504. It is also flagged as exploited in the EUVD (since 2024-01-31).
When was CVE-2024-21893 published?
CVE-2024-21893 was published on 2024-01-31 and last updated on 2026-06-17.

References

Affected products (118)

More vulnerabilities in Ivanti Connect Secure

All CVEs affecting Ivanti Connect Secure →

Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities

Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →