Ivanti Connect Secure: New vulnerabilities CVE-2024-21888 and CVE-2024-21893 patched

Sicherheit (Pexels, allgemeine Nutzung)[German]Security issues in Ivanti products are ongoing. In January 2024, the provider had to disclose two new security vulnerabilities in Ivanti Connect Secure. These are CVE-2024-21888 (privilege escalation to admin) and CVE-2024-21893 (SSRF to access "restricted resources"). So far, there have only been mitigation measures – but Ivanti released security updates a few hours ago.


In January 2024, I had several articles on vulnerabilities in Ivanti VPN appliances in the blog and also reported that they were being attacked (see my German blog post Massive Angriffswelle auf Ivanti VPN-Appliances; Warnung, Konfigurations-Pushes kann Härtungsmaßnahmen gefährden). New vulnerabilities CVE-2024-21888 and CVE-2024-21893 have now become known in Ivanti Connect Secure.

Ivanti Connect Secure: CVE-2024-21888 and CVE-2024-21893

I came across this via the above tweet from Will Dormann. Ivanti Connect Secure provides an SSL VPN solution for remote and mobile users to access corporate resources from any web-enabled device. Ivanti has updated the support article KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways dated January 10, 2024 as of January 31, 2024.

Vulnerabilities were discovered in the Ivanti Connect Secure (ICS) (formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways and disclosed in early January 2024. These vulnerabilities affect all supported versions – version 9.x and 22.x.

Attackers could bypass authentication by exploiting CVE-2024-21887, in conjunction with CVE-2023-46805, and create malicious requests and execute arbitrary commands on the system. The restrictions for exploiting this vulnerability are mentioned in the Ivanti support article. A patch for the affected Ivanti products still in support was released on January 31, 2024. Administrators of affected Ivanti products can find details in the relevant support article. CISA has instructed US authorities to decommission Ivanti Connect Secure (ICS) by February 3, 2024.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *