CVE-2024-21887 vulnerability in Ivanti Products
Published on January 12, 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vendor Advisory NVD

Known Exploited Vulnerability

This Ivanti Connect Secure and Policy Secure Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.

The following remediation steps are recommended / required by January 31, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2024-21887 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2024-21887 has been classified to as a Command Injection vulnerability or weakness.

Products Associated with CVE-2024-21887

You can be notified by stack.watch whenever vulnerabilities like CVE-2024-21887 are published in these products:

Ivanti Connect Secure

Ivanti Policy Secure

What versions are vulnerable to CVE-2024-21887?

Ivanti Connect Secure Version 22.1 r1
Ivanti Connect Secure Version 22.2 r1
Ivanti Connect Secure Version 9.1 r16.1
Ivanti Connect Secure Version 9.1 r16
Ivanti Connect Secure Version 9.1 r15
Ivanti Connect Secure Version 9.1 r15.2
Ivanti Connect Secure Version 22.2 -
Ivanti Policy Secure Version 22.2 r1
Ivanti Policy Secure Version 22.1 r1
Ivanti Policy Secure Version 9.1 r15
Ivanti Policy Secure Version 9.1 r16
Ivanti Connect Secure Version 22.5 r2.1
Ivanti Connect Secure Version 22.4 r2.1
Ivanti Connect Secure Version 22.3 r1
Ivanti Connect Secure Version 22.4 r1
Ivanti Connect Secure Version 22.1 r6
Ivanti Connect Secure Version 22.6 -
Ivanti Policy Secure Version 9.1 r13.1
Ivanti Policy Secure Version 9.1 r8.2
Ivanti Policy Secure Version 9.1 r8.1
Ivanti Policy Secure Version 9.1 r4.2
Ivanti Policy Secure Version 9.1 r4.1
Ivanti Policy Secure Version 9.1 r3.1
Ivanti Policy Secure Version 9.1 r1
Ivanti Policy Secure Version 9.1 r2
Ivanti Policy Secure Version 9.1 r3
Ivanti Policy Secure Version 9.1 r4
Ivanti Policy Secure Version 9.1 r5
Ivanti Policy Secure Version 9.1 r6
Ivanti Policy Secure Version 9.1 r7
Ivanti Policy Secure Version 9.1 r8
Ivanti Policy Secure Version 9.1 r9
Ivanti Policy Secure Version 9.1 r10
Ivanti Policy Secure Version 9.1 r11
Ivanti Policy Secure Version 9.1 r12
Ivanti Policy Secure Version 9.1 r13
Ivanti Policy Secure Version 9.1 r14
Ivanti Policy Secure Version 9.1 r17
Ivanti Policy Secure Version 22.3 r3
Ivanti Policy Secure Version 22.6 r1
Ivanti Policy Secure Version 22.5 r1
Ivanti Policy Secure Version 22.4 r1
Ivanti Policy Secure Version 22.3 r1
Ivanti Policy Secure Version 9.1 r18
Ivanti Policy Secure Version 22.1 r6
Ivanti Policy Secure Version 22.2 r3
Ivanti Policy Secure Version 22.4 r2
Ivanti Policy Secure Version 22.4 r2.1
Ivanti Policy Secure Version 22.5 r2.1
Ivanti Connect Secure Version 9.1 r1
Ivanti Connect Secure Version 9.1 r2
Ivanti Connect Secure Version 9.1 r3
Ivanti Connect Secure Version 9.1 r4
Ivanti Connect Secure Version 9.1 r4.1
Ivanti Connect Secure Version 9.1 r4.2
Ivanti Connect Secure Version 9.1 r4.3
Ivanti Connect Secure Version 9.1 r5
Ivanti Connect Secure Version 9.1 r6
Ivanti Connect Secure Version 9.1 r7
Ivanti Connect Secure Version 9.1 r8
Ivanti Connect Secure Version 9.1 r8.1
Ivanti Connect Secure Version 9.1 r8.2
Ivanti Connect Secure Version 9.1 r9
Ivanti Connect Secure Version 9.1 r9.1
Ivanti Connect Secure Version 9.1 r10
Ivanti Connect Secure Version 9.1 r11
Ivanti Connect Secure Version 9.1 r11.3
Ivanti Connect Secure Version 9.1 r11.4
Ivanti Connect Secure Version 9.1 r11.5
Ivanti Connect Secure Version 9.1 r12
Ivanti Connect Secure Version 9.1 r12.1
Ivanti Connect Secure Version 9.1 r13
Ivanti Connect Secure Version 9.1 r13.1
Ivanti Connect Secure Version 9.1 r14
Ivanti Connect Secure Version 9.1 r17
Ivanti Connect Secure Version 9.1 r17.1
Ivanti Connect Secure Version 9.1 r18
Ivanti Connect Secure Version 22.6 r2
Ivanti Connect Secure Version 22.6 r1
Ivanti Connect Secure Version 9.0
Ivanti Policy Secure Version 9.0