Cmd Injection in Ivanti Connect Secure & Policy Secure Web Components: CVE-2024-21887 January 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Known Exploited Vulnerability

This Ivanti Connect Secure and Policy Secure Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.

The following remediation steps are recommended / required by January 31, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weakness Type

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2024-21887 has been classified to as a Command Injection vulnerability or weakness.

Products Associated with CVE-2024-21887

stack.watch emails you whenever new vulnerabilities are published in Ivanti Connect Secure or Ivanti Policy Secure. Just hit a watch button to start following.

Affected Versions

Exploit Probability

EPSS

94.41%

Percentile

99.98%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.