Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887)
What is Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887)?
Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887)Two chained zero-day vulnerabilities in Ivanti Connect Secure VPN appliances exploited by suspected Chinese espionage actors in late 2023 and early 2024.
In January 2024, Ivanti and Mandiant disclosed two zero-day vulnerabilities in Ivanti Connect Secure and Policy Secure: CVE-2023-46805, an authentication bypass in the web component, and CVE-2024-21887, a command injection in administrative components. Chained together, they allow unauthenticated remote code execution on the appliance. Mandiant attributed initial exploitation to UNC5221, a suspected Chinese espionage cluster that deployed web shells and credential stealers. CISA and other agencies issued emergency directives ordering disconnection of affected appliances. Mitigation included applying staged patches, running the Integrity Checker Tool, factory resetting compromised devices and rotating all related credentials and certificates.
● Examples
- 01
UNC5221 deploys the BUSHWALK webshell on a vulnerable Ivanti VPN and pivots into the corporate network.
- 02
A US federal agency disconnects its Ivanti appliances and rebuilds them from clean media after the CISA directive.
● Frequently asked questions
What is Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887)?
Two chained zero-day vulnerabilities in Ivanti Connect Secure VPN appliances exploited by suspected Chinese espionage actors in late 2023 and early 2024. It belongs to the Vulnerabilities category of cybersecurity.
What does Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887) mean?
Two chained zero-day vulnerabilities in Ivanti Connect Secure VPN appliances exploited by suspected Chinese espionage actors in late 2023 and early 2024.
How does Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887) work?
In January 2024, Ivanti and Mandiant disclosed two zero-day vulnerabilities in Ivanti Connect Secure and Policy Secure: CVE-2023-46805, an authentication bypass in the web component, and CVE-2024-21887, a command injection in administrative components. Chained together, they allow unauthenticated remote code execution on the appliance. Mandiant attributed initial exploitation to UNC5221, a suspected Chinese espionage cluster that deployed web shells and credential stealers. CISA and other agencies issued emergency directives ordering disconnection of affected appliances. Mitigation included applying staged patches, running the Integrity Checker Tool, factory resetting compromised devices and rotating all related credentials and certificates.
How do you defend against Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887)?
Defences for Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Ivanti Connect Secure Zero-Days (CVE-2023-46805, CVE-2024-21887)?
Common alternative names include: Ivanti Connect Secure RCE, CVE-2024-21887 chain.
● Related terms
- attacks№ 202
Command Injection
An attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.