What is Ivanti Connect Secure?
Ivanti Connect Secure (formerly Pulse Connect Secure) is a widely-deployed SSL VPN gateway providing remote access for enterprises and government agencies. It serves as the network access broker for remote workers — all VPN traffic flows through it, making it a high-value target. Connect Secure deployments at major organizations had been targeted since at least 2019 (CVE-2019-11510), and the January 2024 Ivanti crisis represented the most severe wave of exploitation the platform had experienced, with multiple concurrent zero-days used in coordinated global campaigns by China-nexus threat actors.
Overview
CVE-2024-21893 is an unauthenticated server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateways. It allows an unauthenticated attacker to access certain internal resources on the gateway without authentication by exploiting the SAML endpoint's ability to make server-side HTTP requests. This was the third zero-day disclosed in January 2024 as part of the Ivanti Connect Secure crisis — following CVE-2023-46805 (auth bypass) and CVE-2024-21887 (command injection). CISA issued a 2-day remediation deadline (the shortest in BOD 22-01 history at that time), reflecting the severity of active exploitation.
Affected Versions
| Product | Status |
|---|---|
| Ivanti Connect Secure (ICS) 9.x, 22.x | Patched — apply patches per Ivanti advisory |
| Ivanti Policy Secure | Patched |
| Ivanti Neurons for ZTA Gateways | Patched |
Technical Details
CWE-918 (Server-Side Request Forgery). The SAML authentication component in Ivanti Connect Secure makes outbound HTTP requests as part of SAML identity provider interaction. A flaw in how the SAML endpoint processes external attacker-controlled input allows an unauthenticated request to cause the gateway to make an HTTP request to an attacker-specified internal URL. This allows the attacker to: probe internal network resources not directly accessible from the internet, reach internal APIs or services on the gateway itself, and in some configurations, retrieve authentication tokens or session data from internal endpoints.
CVE-2024-21893 was used by China-nexus threat actor UNC5221 in conjunction with the previously-disclosed CVE-2023-46805 and CVE-2024-21887: the auth bypass (46805) + command injection (21887) chain provided initial RCE, while CVE-2024-21893 provided an additional unauthenticated access path for actors who needed an alternative route or who were targeting gateways that had partially mitigated the earlier pair.
Discovery
Identified during Ivanti's investigation of the January 2024 exploitation wave. Volexity, Mandiant, and other incident response firms documented the exploitation of Ivanti Connect Secure at scale across hundreds of organizations — including government agencies, defense contractors, and critical infrastructure operators — by multiple China-nexus threat actors.
Exploitation Context
The January 2024 Ivanti Connect Secure crisis was characterized by: (1) multiple concurrent zero-days disclosed over the span of three weeks, (2) exploitation at unprecedented scale by sophisticated state-sponsored actors, (3) compromised integrity checking tools (ICT) that failed to detect implants installed on compromised gateways, and (4) persistent access maintained even after factory resets due to implants stored in locations not cleared by reset. The 2-day CISA deadline reflected the government's recognition that federal networks were actively being compromised through this attack surface.
Remediation
- Apply all Ivanti Connect Secure patches for CVE-2024-21893 and related vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888) immediately.
- Run Ivanti's Integrity Checker Tool — but note that Mandiant documented ICS-capable malware that evades the ICT; a negative ICT result does not guarantee a clean system.
- For any gateway that was internet-exposed and unpatched during the January 2024 exploitation window, treat it as compromised: perform a factory reset followed by full reconfiguration, then monitor extensively after return to service.
- Rotate all credentials that were accessible from the gateway: VPN service account passwords, certificates, and any credentials stored in gateway configuration.
- Review all VPN authentication logs from January 2024 onward for unusual connections, impossible travel, or access from unexpected geolocations.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-21893 |
| Vendor / Product | Ivanti — Connect Secure, Policy Secure, and Neurons |
| NVD Published | 2024-01-31 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 8.2 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| Severity | HIGH |
| CWE | CWE-918 find similar ↗ |
| CISA KEV Added | 2024-01-31 |
| CISA KEV Deadline | 2024-02-02 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-01-10 | CVE-2023-46805 (auth bypass) and CVE-2024-21887 (command injection) disclosed as actively exploited zero-days |
| 2024-01-31 | CVE-2024-21893 (SSRF) and CVE-2024-21888 (privilege escalation) disclosed; CISA adds both to KEV the same day with 2-day deadline |
| 2024-02-02 | CISA BOD 22-01 remediation deadline — the shortest standard deadline issued |
References
| Resource | Type |
|---|---|
| Ivanti Security Advisory — CVE-2024-21893 and Related Vulnerabilities | Vendor Advisory |
| NVD — CVE-2024-21893 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Volexity — Ivanti Connect Secure VPN Exploitation | Security Research |