Detect Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887) in Elastic Security
CVE-2024-21887 is a critical authenticated command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure and Policy Secure web components. When chained with the authentication bypass CVE-2023-46805, unauthenticated remote attackers can execute arbitrary commands on the appliance as root. Nation-state threat actors (UNC5221) exploited this as a zero-day to deploy LIGHTWIRE, WIREFIRE, and FRAMESTING web shells and conduct credential harvesting and lateral movement. CISA added this to the KEV catalog in January 2024.
MITRE ATT&CK
Elastic Detection Query
sequence by source.ip with maxspan=5m
[network where event.category == "network" and network.direction == "inbound"
and (url.path like "/dana-na/*" or url.path like "/dana-ws/*" or url.path like "/api/v1/*")
and (http.response.status_code == 200 or http.response.status_code == 302)
and not source.ip like "10.*" and not source.ip like "192.168.*"]
[network where event.category == "network" and network.direction == "inbound"
and url.path like "/api/v1/*"
and (
url.path like "*totp/user-backup-code*" or
url.path like "*archiving/cloud-server-test*" or
url.path like "*maintenance*" or
url.query like "*%3B*" or url.query like "*%7C*" or url.query like "*%60*"
)
and http.response.status_code in (200, 201, 204)]Elastic EQL sequence detection for CVE-2024-21887 chained with CVE-2023-46805. Identifies authentication bypass followed by command injection against known vulnerable Ivanti API endpoints within a 5-minute window from the same source IP.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate multi-step API workflows from authorized administrator IPs
- Internal monitoring systems that poll Ivanti appliance status endpoints
- Load balancer health checks that traverse multiple Ivanti endpoints sequentially
- Authorized penetration tests generating sequential API requests
Other platforms for CVE-2024-21887
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-21887 Command Injection via TOTP Backup Code Endpoint
Expected signal: HTTP POST to /api/v1/totp/user-backup-code/ with shell metacharacters in request body, followed by file creation event in /tmp/ visible in process audit logs
- Test 2CVE-2023-46805 + CVE-2024-21887 Full Chain — Unauthenticated RCE
Expected signal: Sequence of: GET to /dana-na/auth/saml-sso.cgi with path traversal, 200 response with session cookie, then PUT to /api/v1/system/maintenance/archiving/cloud-server-test-connection with shell metacharacters in host field, followed by outbound HTTP callback from appliance
- Test 3Post-Exploitation Web Shell Deployment Simulation
Expected signal: File creation event at /home/webserver/htdocs/dana-na/auth/ for a new .pl or .py file; subsequent GET request to that file path with query parameters (cmd=, exec=, c=); process spawning by the web server daemon executing perl or python
- Test 4Credential Harvesting Simulation via Ivanti Config API
Expected signal: GET requests to Ivanti configuration API endpoints for user-roles and authentication server configuration; successful 200 responses containing credential or LDAP bind DN data
References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2024-21887
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Unlock Pro Content
Get the full detection package for CVE-2024-21887 including response playbook, investigation guide, and atomic red team tests.