CVE-2024-21887 Splunk · SPL

Detect Ivanti Connect Secure Authenticated Command Injection (Chained with CVE-2023-46805) in Splunk

CVE-2024-21887 is a critical (CVSS 9.1) command injection vulnerability in Ivanti Connect Secure (formerly Pulse Secure) and Policy Secure web components. An authenticated administrator can send specially crafted requests to web endpoints to execute arbitrary commands on the appliance. When chained with CVE-2023-46805 (authentication bypass, CVSS 8.2), the combination allows fully unauthenticated remote code execution. The combined exploit chain was used extensively by the China-nexus threat actor UNC5221 as a zero-day, targeting defence, government, financial, and telecom organisations globally. CISA required mitigation by January 22, 2024. Ivanti Connect Secure VPN appliances are widely deployed by SMBs and enterprises as remote access infrastructure, making this a high-priority detection target.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

SPL Detection Query

Splunk (SPL)
spl 
index=network sourcetype IN ("ivanti:ics:log", "pulse:log", "syslog", "web:access")
(
  (vendor IN ("Ivanti", "Pulse Secure") OR sourcetype IN ("ivanti:ics:log", "pulse:log"))
  AND (
    (
      match(uri_path, "(?i)(/dana-na/|/dana/|/api/v1/auth|/api/v1/totp)")
      AND match(_raw, "(?i)(cmd|exec|shell|wget|curl|/tmp|base64|python|perl|\|\||&&)")
    )
    OR
    (
      (log_level IN ("SYSTEM", "ERROR", "WARNING") OR severity IN ("high", "critical"))
      AND match(message, "(?i)(command|inject|shell|root|execute|arbitrary)")
    )
  )
)
| eval CVE="CVE-2024-21887"
| eval ThreatType="Ivanti-ICS-CommandInjection"
| stats count AS SuspiciousRequests,
        values(src_ip) AS SourceIPs,
        values(uri_path) AS RequestPaths,
        values(message) AS LogMessages
  BY host, CVE, ThreatType, _time span=1h
| where SuspiciousRequests >= 1
| table _time, host, SourceIPs, RequestPaths, LogMessages, SuspiciousRequests, CVE, ThreatType
| sort - SuspiciousRequests
critical severity medium confidence

Detects CVE-2024-21887 exploitation in Ivanti Connect Secure logs by identifying command injection patterns in web request URIs targeting the /dana/ and /api/ endpoints, combined with system-level log messages indicating command execution. The /dana-na/ and /dana/ paths are the primary attack surface for this vulnerability.

Data Sources

Ivanti Connect Secure system logsPulse Secure web access logsNetwork syslog from ICS appliances

Required Sourcetypes

ivanti:ics:logpulse:log

False Positives & Tuning

  • Authorized API calls to /api/v1/totp or /api/v1/auth with special characters in parameters
  • Ivanti diagnostic logging that captures command-like strings in system messages
Download portable Sigma rule (.yml)

Other platforms for CVE-2024-21887

Microsoft Sentinel (KQL) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate CVE-2024-21887 command injection request

    Expected signal: ICS web access log entry for /api/v1/totp/ with command injection payload; syslog entry showing command execution output.

Last updated: 2026-04-22 Research depth: standard
References (6)

Unlock Pro Content

Get the full detection package for CVE-2024-21887 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1190Exploit Public-Facing Application

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1556Modify Authentication ProcessT1133External Remote ServicesT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections