CVE-2023-46805

What is Ivanti Connect Secure?

Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure are SSL VPN gateways used by thousands of organizations worldwide — enterprises, government agencies, critical infrastructure operators — to provide secure remote access to internal networks and applications. As internet-facing VPN gateways, they handle authentication for all remote users and are always accessible from the internet. Compromising a VPN gateway provides an attacker with authenticated access to the internal network, VPN user credentials, and often the ability to impersonate legitimate users. Ivanti Connect Secure was the most heavily exploited VPN product of 2024, with multiple zero-day vulnerabilities disclosed throughout the year.

Overview

CVE-2023-46805 is a critical zero-day authentication bypass vulnerability in Ivanti Connect Secure and Policy Secure gateways, discovered being actively exploited by Chinese nation-state actors (UNC5221) before Ivanti had a patch. The vulnerability allows an unauthenticated attacker to bypass authentication on the web component and access restricted resources. When chained with CVE-2024-21887 (a command injection vulnerability in the same product), the combined exploit achieves unauthenticated pre-authentication remote code execution on the gateway. Ivanti disclosed both zero-days on January 10, 2024; CISA issued Emergency Directive ED-24-01 requiring immediate action from federal agencies; and Mandiant estimated more than 1,700 devices were already compromised by the time patches were released in February 2024.

Affected Versions

Technical Details

CWE-287 (Improper Authentication). Ivanti Connect Secure's web component includes API endpoints accessible to end users and administrators. A flaw in the authentication handling of certain API paths allows an unauthenticated attacker to bypass the authentication check and access resources that should require a valid session. The bypass targets specific URL paths whose access control is not enforced consistently with the rest of the application.

The two-CVE exploitation chain:

1. CVE-2023-46805: Bypass authentication to access a restricted API endpoint without credentials — the bypass returns data accessible only to authenticated users, confirming the control plane is reachable without auth.
2. CVE-2024-21887: Use the authenticated API access obtained via the bypass to reach a command injection endpoint in the web component, injecting OS commands that execute on the underlying Linux system as root.

The combined result is unauthenticated pre-auth RCE as root on the Ivanti gateway, enabling web shell deployment, credential harvesting from the VPN's authentication database, and lateral movement into the protected network.

Discovery

Discovered by Volexity threat intelligence researchers, who identified the zero-day exploitation by UNC5221 — a China-nexus threat actor — and reported it to Ivanti. Volexity's subsequent analysis documented the full exploitation methodology and attribution.

Exploitation Context

UNC5221 (also tracked by other vendors as a China-nexus initial access group) exploited CVE-2023-46805 and CVE-2024-21887 as zero-days starting in December 2023, primarily targeting government agencies, defense industrial base organizations, telecommunications companies, and financial sector organizations globally.

The exploitation was notable for its scale and sophistication:

• Attackers deployed multiple malware families including LIGHTWIRE (web shell), WIREFIRE (web shell), and FRAMESTING on compromised gateways
• CISA's February 2024 advisory noted that the Ivanti Integrity Checker Tool (ICT) — Ivanti's own detection mechanism — was being subverted by attackers, providing false negatives
• Mandiant estimated over 1,700 unique ICS devices were compromised before the patch was available
• Even after patching, CISA warned that prior credential harvesting meant organizations needed to treat all VPN credentials as potentially compromised

The 12-day window from the earliest observed exploitation (late December 2023) to disclosure (January 10, 2024) reflects UNC5221's operational tempo for zero-day campaigns.

Remediation

1. Apply Ivanti patches for CVE-2023-46805 and CVE-2024-21887 — both are required; neither alone stops the combined exploit chain.
2. Apply mitigations per Ivanti's advisory immediately if patching is not yet possible — Ivanti released a mitigation XML file that can be imported before patches are available.
3. Run the Ivanti Integrity Checker Tool (ICT) — but note that CISA documented cases where the ICT returned clean results on compromised devices; a clean ICT result is not definitive.
4. Treat all VPN user credentials as potentially compromised — reset passwords, revoke and reissue certificates, and rotate API keys for all accounts that authenticated through affected gateways.
5. Review VPN access logs for unusual authentication patterns, API requests to unexpected endpoints, or connections from unexpected source IPs during the December 2023–February 2024 window.
6. Investigate lateral movement: audit internal systems accessed via VPN sessions during the exposure period, particularly from unusual source IP addresses or at unusual times.