CVE-2023-46805 vulnerability in Ivanti Products
Published on January 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Advisory NVD

Known Exploited Vulnerability

This Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.

The following remediation steps are recommended / required by January 31, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-46805 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

What is an authentification Vulnerability?

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVE-2023-46805 has been classified to as an authentification vulnerability or weakness.

Products Associated with CVE-2023-46805

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-46805 are published in these products:

Ivanti Connect Secure

Ivanti Policy Secure

What versions are vulnerable to CVE-2023-46805?

Ivanti Connect Secure Version 22.1 r1
Ivanti Connect Secure Version 22.2 r1
Ivanti Connect Secure Version 9.1 r16.1
Ivanti Connect Secure Version 9.1 r16
Ivanti Connect Secure Version 9.1 r15
Ivanti Connect Secure Version 9.1 r15.2
Ivanti Connect Secure Version 22.2 -
Ivanti Policy Secure Version 22.2 r1
Ivanti Policy Secure Version 22.1 r1
Ivanti Policy Secure Version 9.1 r15
Ivanti Policy Secure Version 9.1 r16
Ivanti Connect Secure Version 22.5 r2.1
Ivanti Connect Secure Version 22.4 r2.1
Ivanti Connect Secure Version 22.3 r1
Ivanti Connect Secure Version 22.4 r1
Ivanti Connect Secure Version 22.1 r6
Ivanti Connect Secure Version 22.6 -
Ivanti Policy Secure Version 9.1 r13.1
Ivanti Policy Secure Version 9.1 r8.2
Ivanti Policy Secure Version 9.1 r8.1
Ivanti Policy Secure Version 9.1 r4.2
Ivanti Policy Secure Version 9.1 r4.1
Ivanti Policy Secure Version 9.1 r3.1
Ivanti Policy Secure Version 9.1 r1
Ivanti Policy Secure Version 9.1 r2
Ivanti Policy Secure Version 9.1 r3
Ivanti Policy Secure Version 9.1 r4
Ivanti Policy Secure Version 9.1 r5
Ivanti Policy Secure Version 9.1 r6
Ivanti Policy Secure Version 9.1 r7
Ivanti Policy Secure Version 9.1 r8
Ivanti Policy Secure Version 9.1 r9
Ivanti Policy Secure Version 9.1 r10
Ivanti Policy Secure Version 9.1 r11
Ivanti Policy Secure Version 9.1 r12
Ivanti Policy Secure Version 9.1 r13
Ivanti Policy Secure Version 9.1 r14
Ivanti Policy Secure Version 9.1 r17
Ivanti Policy Secure Version 22.3 r3
Ivanti Policy Secure Version 22.6 r1
Ivanti Policy Secure Version 22.5 r1
Ivanti Policy Secure Version 22.4 r1
Ivanti Policy Secure Version 22.3 r1
Ivanti Policy Secure Version 9.1 r18
Ivanti Policy Secure Version 22.1 r6
Ivanti Policy Secure Version 22.2 r3
Ivanti Policy Secure Version 22.4 r2
Ivanti Policy Secure Version 22.4 r2.1
Ivanti Policy Secure Version 22.5 r2.1
Ivanti Connect Secure Version 9.1 r1
Ivanti Connect Secure Version 9.1 r2
Ivanti Connect Secure Version 9.1 r3
Ivanti Connect Secure Version 9.1 r4
Ivanti Connect Secure Version 9.1 r4.1
Ivanti Connect Secure Version 9.1 r4.2
Ivanti Connect Secure Version 9.1 r4.3
Ivanti Connect Secure Version 9.1 r5
Ivanti Connect Secure Version 9.1 r6
Ivanti Connect Secure Version 9.1 r7
Ivanti Connect Secure Version 9.1 r8
Ivanti Connect Secure Version 9.1 r8.1
Ivanti Connect Secure Version 9.1 r8.2
Ivanti Connect Secure Version 9.1 r9
Ivanti Connect Secure Version 9.1 r9.1
Ivanti Connect Secure Version 9.1 r10
Ivanti Connect Secure Version 9.1 r11
Ivanti Connect Secure Version 9.1 r11.3
Ivanti Connect Secure Version 9.1 r11.4
Ivanti Connect Secure Version 9.1 r11.5
Ivanti Connect Secure Version 9.1 r12
Ivanti Connect Secure Version 9.1 r12.1
Ivanti Connect Secure Version 9.1 r13
Ivanti Connect Secure Version 9.1 r13.1
Ivanti Connect Secure Version 9.1 r14
Ivanti Connect Secure Version 9.1 r17
Ivanti Connect Secure Version 9.1 r17.1
Ivanti Connect Secure Version 9.1 r18
Ivanti Connect Secure Version 22.6 r2
Ivanti Connect Secure Version 22.6 r1
Ivanti Connect Secure Version 9.0
Ivanti Policy Secure Version 9.0