title: Ivanti Connect Secure Authenticated Command Injection (Chained with CVE-2023-46805) (CVE-2024-21887)
id: df00tech-cve-2024-21887
status: experimental
description: "CVE-2024-21887 is a critical (CVSS 9.1) command injection vulnerability in Ivanti Connect Secure (formerly Pulse Secure) and Policy Secure web components. An authenticated administrator can send specially crafted requests to web endpoints to execute arbitrary commands on the appliance. When chained with CVE-2023-46805 (authentication bypass, CVSS 8.2), the combination allows fully unauthenticated remote code execution. The combined exploit chain was used extensively by the China-nexus threat actor UNC5221 as a zero-day, targeting defence, government, financial, and telecom organisations globally. CISA required mitigation by January 22, 2024. Ivanti Connect Secure VPN appliances are widely deployed by SMBs and enterprises as remote access infrastructure, making this a high-priority detection target."
references:
  - https://attack.mitre.org/techniques/CVE-2024-21887/
  - https://df00tech.com/detections/CVE-2024-21887
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2024-21887
  - cve.2024-21887
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate ICS administrative operations logged with system-level context
  - Authorised security scanning of Ivanti appliances generating anomalous-looking web requests
  - Internal monitoring systems polling ICS API endpoints
level: critical