← Retour aux CVEs
CVE-2024-21887
CRITICALCISA KEV9.1
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Details CVE
Score CVSS v3.19.1
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisHIGH
Interaction utilisateurNONE
Publie1/12/2024
Derniere modification10/31/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurIvanti
ProduitConnect Secure and Policy Secure
Nom vulnerabiliteIvanti Connect Secure and Policy Secure Command Injection Vulnerability
Date ajout KEV2024-01-10
Date limite remediation2024-01-22
Utilise dans ransomwareKnown
Produits affectes
ivanti:connect_secureivanti:policy_secure
Faiblesses (CWE)
CWE-77CWE-77
References
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html(support@hackerone.com)
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US(support@hackerone.com)
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.