← Back to CVEs
CVE-2024-21887
CRITICALCISA KEV9.1
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
CVE Details
CVSS v3.1 Score9.1
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredHIGH
User InteractionNONE
Published1/12/2024
Last Modified10/31/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorIvanti
ProductConnect Secure and Policy Secure
Vulnerability NameIvanti Connect Secure and Policy Secure Command Injection Vulnerability
KEV Date Added2024-01-10
Remediation Due Date2024-01-22
Ransomware UseKnown
Affected Products
ivanti:connect_secureivanti:policy_secure
Weaknesses (CWE)
CWE-77CWE-77
References
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html(support@hackerone.com)
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US(support@hackerone.com)
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.