CVE-2024-21887

What is Ivanti Connect Secure?

Ivanti Connect Secure (ICS, formerly Pulse Secure) is one of the most widely deployed SSL-VPN platforms globally, used by enterprises, governments, critical infrastructure operators, and defense organizations to provide remote network access. ICS appliances sit at the network perimeter and process all remote access traffic, making them prime targets for nation-state actors who want persistent network access. A compromised ICS appliance allows attackers to intercept VPN traffic, harvest credentials, and move laterally into the internal network. ICS has been repeatedly targeted by Chinese APT actors — CVE-2019-11510, CVE-2021-22893, and now CVE-2023-46805/CVE-2024-21887.

Overview

CVE-2024-21887 is a command injection vulnerability (CWE-77) in the web components of Ivanti Connect Secure and Ivanti Policy Secure. When chained with CVE-2023-46805 (an authentication bypass in the same products), it enables unauthenticated remote code execution — an authenticated administrator can trigger the command injection, and the authentication bypass eliminates the authentication requirement. The chain was exploited as a zero-day by the Chinese state-sponsored group UNC5221 before Ivanti was aware of the vulnerabilities. Volexity discovered the active exploitation and notified Ivanti on January 10, 2024 — the same day CISA added it to the KEV catalog with a 12-day deadline, one of the fastest and shortest deadlines in KEV history.

Affected Versions

Initial mitigation (January 2024): Ivanti released an XML-based workaround to block the specific endpoint exploited in the chain before full patches were available.

Technical Details

CVE-2023-46805 (Authentication Bypass): An authentication bypass in the web component of ICS allows an attacker to access certain authenticated REST API endpoints without credentials by exploiting an insecure direct object reference or path-based bypass in the authentication middleware.

CVE-2024-21887 (Command Injection): Within the web management interface — specifically in an endpoint accessible to authenticated administrators — user-supplied input is incorporated into an OS command without sufficient sanitization (CWE-77). An authenticated attacker can inject additional shell commands that execute on the underlying Linux-based ICS appliance.

Combined exploit chain:

1. Attacker uses CVE-2023-46805 to bypass authentication and reach the admin-only command injection endpoint
2. Injects OS commands via CVE-2024-21887
3. Commands execute as root on the ICS appliance

UNC5221 implants deployed post-exploitation:

• LIGHTWIRE: A web shell written in Perl embedded in the ICS web server
• ZIPLINE: A passive backdoor that hooks network functions to intercept specific traffic patterns
• THINSPOOL: A dropper that writes LIGHTWIRE to disk and establishes persistence
• WIREFIRE: A Python-based web shell

These implants were designed to persist through factory resets and system upgrades — a sophisticated persistence mechanism indicating advanced operator capability.

Discovery

Volexity discovered the active zero-day exploitation by UNC5221 while investigating network anomalies at one of their customers. Mandiant independently confirmed the campaign. Both published coordinated disclosure on January 10, 2024.

Exploitation Context

UNC5221 (assessed as a Chinese state-sponsored group) exploited this as a zero-day before any patch or public knowledge existed. Mass opportunistic exploitation by other threat actors followed the January 10 public disclosure, with thousands of ICS appliances targeted globally. CISA issued Emergency Directive 24-01 specifically for this vulnerability — one of the rare cases where CISA issues an ED rather than just a KEV listing — requiring all federal civilian agencies to apply mitigations within 48 hours.

By February 2024, security researchers estimated over 1,700 ICS appliances had been compromised, with victims including government agencies, defense contractors, banks, and telecommunications providers across the US, Europe, and Asia-Pacific.

Remediation

1. Apply Ivanti Connect Secure patches per the official Ivanti KB article. Full patches began releasing February 1, 2024.
2. Run Ivanti's Integrity Checker Tool (ICT) on all ICS appliances to detect post-exploitation artifacts — Ivanti provided a specific updated ICT for this campaign.
3. Perform a factory reset before applying the patch if exploitation is suspected — the UNC5221 implants were designed to survive standard upgrades but not factory resets (of most versions).
4. Rotate all credentials stored in or transmitted through ICS: VPN user passwords, SAML/LDAP credentials, RADIUS secrets, and any credentials used by services connected through the VPN.
5. Revoke and reissue certificates associated with the ICS appliance.
6. Monitor for the specific implant indicators published by Volexity and Mandiant (file hashes, web shell paths, C2 domains).
7. Implement network monitoring to detect lateral movement from VPN-connected hosts post-compromise.