Ivanti Connect Secure Authenticated Command Injection (Chained with CVE-2023-46805)
CVE-2024-21887 is a critical (CVSS 9.1) command injection vulnerability in Ivanti Connect Secure (formerly Pulse Secure) and Policy Secure web components. An authenticated administrator can send specially crafted requests to web endpoints to execute arbitrary commands on the appliance. When chained with CVE-2023-46805 (authentication bypass, CVSS 8.2), the combination allows fully unauthenticated remote code execution. The combined exploit chain was used extensively by the China-nexus threat actor UNC5221 as a zero-day, targeting defence, government, financial, and telecom organisations globally. CISA required mitigation by January 22, 2024. Ivanti Connect Secure VPN appliances are widely deployed by SMBs and enterprises as remote access infrastructure, making this a high-priority detection target.
// CVE-2024-21887 — Ivanti Connect Secure Command Injection
// Detect suspicious web requests to Ivanti ICS endpoints that could indicate exploitation
// Key signals: anomalous URI patterns in ICS proxy/access logs, post-exploitation C2 traffic
let IvantiSuspiciousRequests =
W3CIISLog
| where TimeGenerated > ago(24h)
| where csHost has_any ("ivanti", "pulse", "pulsesecure", "connectsecure")
or csUriStem has_any ("/dana-na/", "/dana/", "/api/v1/auth", "/api/v1/totp")
| where csUriStem has_any (
"/../", "cmd", "exec", "shell", "wget", "curl", "/tmp",
"base64", "python", "||", "&&"
)
| extend ThreatIndicator = "CVE-2024-21887-Suspicious-ICS-Request";
let IvantiAnomalousAuth =
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor has_any ("Ivanti", "Pulse Secure", "PulseSecure")
| where Activity has_any ("login", "auth", "session", "system", "exec")
| where Message has_any (
"command", "inject", "exec", "shell", "root", "/tmp", "wget", "curl"
)
| extend ThreatIndicator = "CVE-2024-21887-ICS-CommandInjection";
let PostExploitLateralMovement =
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort in (445, 3389, 22, 5985, 5986) // SMB, RDP, SSH, WinRM
| where RemoteIPType == "Private" // Post-exploit lateral movement to internal hosts
| summarize Connections=count(), Targets=make_set(RemoteIP)
by DeviceName, InitiatingProcessAccountName, bin(TimeGenerated, 1h)
| where Connections > 10 and array_length(Targets) > 5
| extend ThreatIndicator = "CVE-2024-21887-Post-Exploit-Lateral";
IvantiSuspiciousRequests
| union IvantiAnomalousAuth
| union PostExploitLateralMovement
| sort by TimeGenerated descData Sources
Required Tables
False Positives
- Legitimate ICS administrative operations logged with system-level context
- Authorised security scanning of Ivanti appliances generating anomalous-looking web requests
- Internal monitoring systems polling ICS API endpoints
References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2024-21887
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
- https://attack.mitre.org/techniques/T1190/
Unlock Pro Content
Get the full detection package for CVE-2024-21887 including response playbook, investigation guide, and atomic red team tests.