Detect Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887) in IBM QRadar
CVE-2024-21887 is a critical authenticated command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure and Policy Secure web components. When chained with the authentication bypass CVE-2023-46805, unauthenticated remote attackers can execute arbitrary commands on the appliance as root. Nation-state threat actors (UNC5221) exploited this as a zero-day to deploy LIGHTWIRE, WIREFIRE, and FRAMESTING web shells and conduct credential harvesting and lateral movement. CISA added this to the KEV catalog in January 2024.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
URL,
"HTTP Method" AS http_method,
"HTTP Response Code" AS response_code,
CASE
WHEN URL LIKE '%totp/user-backup-code%' THEN 'CVE-2024-21887 Known Vulnerable Endpoint'
WHEN URL LIKE '%archiving/cloud-server-test%' THEN 'CVE-2024-21887 Known Vulnerable Endpoint'
WHEN URL MATCHES REGEX '.*[;|&`\$()\{\}].*' THEN 'Shell Metacharacters Detected'
WHEN URL MATCHES REGEX '.*(wget|curl|bash|python|chmod|mkfifo).*' THEN 'Command Execution Attempt'
WHEN URL MATCHES REGEX '.*%3[Bb].*|.*%7[Cc].*|.*%60.*' THEN 'URL Encoded Shell Metachar'
ELSE 'Suspicious API Access'
END AS threat_indicator,
username
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Nginx', 'F5 BIG-IP', 'Palo Alto Networks Firewall')
AND (
URL LIKE '/api/v1/%'
OR URL LIKE '/dana-ws/%'
OR URL LIKE '/dana-admin/%'
OR URL LIKE '/dana-na/%'
)
AND (
URL LIKE '%totp/user-backup-code%'
OR URL LIKE '%archiving/cloud-server-test%'
OR URL LIKE '%maintenance%'
OR URL MATCHES REGEX '.*[;|&`\$()\{\}\[\]].*'
OR URL MATCHES REGEX '.*%3[Bb2Cc7c8Ee].*'
OR "HTTP Response Code" IN (200, 201, 204)
)
AND STARTTIME > NOW() - 7 DAYS
ORDER BY starttime DESC
LIMIT 1000QRadar AQL query to detect CVE-2024-21887 exploitation attempts against Ivanti Connect Secure appliances by analyzing HTTP access logs for known vulnerable API paths and command injection indicators.
Data Sources
Required Tables
False Positives & Tuning
- Authorized administrative access to Ivanti API endpoints from known management subnets
- Vulnerability scanning tools performing scheduled assessments
- Ivanti-native automation scripts accessing maintenance API endpoints
- Security monitoring tools that query API endpoints for baseline health data
Other platforms for CVE-2024-21887
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-21887 Command Injection via TOTP Backup Code Endpoint
Expected signal: HTTP POST to /api/v1/totp/user-backup-code/ with shell metacharacters in request body, followed by file creation event in /tmp/ visible in process audit logs
- Test 2CVE-2023-46805 + CVE-2024-21887 Full Chain — Unauthenticated RCE
Expected signal: Sequence of: GET to /dana-na/auth/saml-sso.cgi with path traversal, 200 response with session cookie, then PUT to /api/v1/system/maintenance/archiving/cloud-server-test-connection with shell metacharacters in host field, followed by outbound HTTP callback from appliance
- Test 3Post-Exploitation Web Shell Deployment Simulation
Expected signal: File creation event at /home/webserver/htdocs/dana-na/auth/ for a new .pl or .py file; subsequent GET request to that file path with query parameters (cmd=, exec=, c=); process spawning by the web server daemon executing perl or python
- Test 4Credential Harvesting Simulation via Ivanti Config API
Expected signal: GET requests to Ivanti configuration API endpoints for user-roles and authentication server configuration; successful 200 responses containing credential or LDAP bind DN data
References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2024-21887
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Unlock Pro Content
Get the full detection package for CVE-2024-21887 including response playbook, investigation guide, and atomic red team tests.