CVE-2023-46805 High Patch Available

CVE-2023-46805: Ivanti Connect Secure — Authentication Bypass via Path Traversal

Vuln Brief Research Team · · CVSS 8.2

CVE Details

CVE ID CVE-2023-46805
CVSS Score 8.2
Severity High
Vendor Ivanti
Product Connect Secure / Policy Secure
Patch Status Available
Published January 24, 2026

Background

Ivanti Connect Secure (formerly Pulse Connect Secure) is an enterprise SSL VPN solution with a large deployment base across government, healthcare, financial services, and critical infrastructure sectors. Its role as the authentication gateway for remote access makes it a prime target — an attacker who can bypass its authentication controls effectively bypasses the entire perimeter.

CVE-2023-46805 is an authentication bypass vulnerability that, when exploited alone, allows an attacker to access specific endpoints that should require authentication. Its true severity is realised when chained with CVE-2024-21887 (command injection, CVSS 9.1): together, they form a zero-interaction exploit chain delivering unauthenticated RCE as root. The vulnerability was exploited in the wild as a zero-day by Chinese state-sponsored actors for weeks before disclosure.

Technical Mechanism

CVE-2023-46805 is a path traversal-based authentication bypass in the Ivanti Connect Secure web component. The application uses a URL-based authentication gating system: certain URL prefixes are classified as requiring authentication, while others (like those serving the login page) are publicly accessible.

The bypass exploits an inconsistency between the authentication layer and the URL routing layer. By crafting a URL that includes a traversal sequence, an attacker can request an authenticated endpoint while the authentication check treats it as an unauthenticated path:

# Normal request to protected endpoint (blocked by auth)
GET /api/v1/system/restart HTTP/1.1

# Bypass using path traversal (authentication check sees /public/..., routing sees /api/v1/system/restart)
GET /api/v1/auth/../../api/v1/system/restart HTTP/1.1

The Perl-based web application backend (Ivanti appliances use a combination of Perl, Python, and compiled C components) resolves the traversal after the authentication check, resulting in access to protected endpoints.

Specific endpoints targeted in documented attacks:

  • /api/v1/totp/user-backup-code/ — generates backup codes, used as an injection vector with CVE-2024-21887
  • /api/v1/sessions/ — session management endpoints
  • /api/v1/config/ — configuration endpoints

The authentication bypass alone has limited standalone impact (the accessible endpoints are mostly read-only via this path). However, when CVE-2024-21887 is available, the bypass opens the injection-vulnerable endpoints to unauthenticated exploitation.

Real-World Exploitation Evidence

Volexity identified active exploitation of both CVE-2023-46805 and CVE-2024-21887 as a chain beginning in early December 2023. The threat actor, designated UTA0178 and later attributed to Chinese APT activity, used the chain to:

  • Compromise VPN appliances at defence contractors, government agencies, and technology companies
  • Deploy GLASSTOKEN web shell for persistent access
  • Harvest VPN session cookies and credentials from memory
  • Export SAML certificates and signing keys
  • Use the compromised appliances as pivot points for internal reconnaissance

Within weeks of the January 2024 public advisory, independent researchers confirmed exploitation by multiple additional threat groups. CISA reported that attackers attempted to maintain access by deploying malware specifically engineered to survive Ivanti’s factory reset procedure — a technique showing significant sophistication and pre-planning.

Impact Assessment

This bypass is specifically dangerous because of what it unlocks:

  • Chained exploitation: Primary impact is as an enabler for CVE-2024-21887, turning an authenticated vulnerability into a fully unauthenticated RCE.
  • Authentication control circumvention: Standalone, enables read access to sensitive configuration and session data.
  • Zero credential requirement: Attackers need no valid credentials, making exploitation viable against any exposed appliance regardless of password strength.
  • Perimeter bypass: A compromised VPN appliance undermines the entire network perimeter security model — internal resources become accessible to the attacker.

Affected Versions

ProductAffected VersionsFixed Version
Ivanti Connect Secure9.x, 22.x (all)22.7R2.4+
Ivanti Policy Secure9.x, 22.x (all)22.7R1.2+
Ivanti Neurons for ZTA22.x (all)22.7R2.3+

Remediation Steps

  1. Apply patches: Update to the fixed versions. Ivanti’s patches address both CVE-2023-46805 and CVE-2024-21887 together.

  2. Run Ivanti’s Integrity Checker Tool (ICT): Before patching, run the ICT to detect if the appliance is already compromised:

    • Via admin UI: Maintenance > Diagnostics > Integrity Check Tool
    • Note: CISA reported that the ICT may not detect all compromise indicators in heavily modified appliances.

  3. Apply interim XML mitigation: Ivanti published a mitigation XML file that restricts access to the vulnerable API endpoints. Import via Maintenance > Import/Export > Import XML.

  4. Perform factory reset if compromised: If the ICT flags issues, factory reset the appliance before applying the patch to ensure malware is removed.

  5. Rotate all credentials: Any credentials that have been authenticated through the appliance (VPN users, service accounts, SAML configurations) should be treated as potentially compromised.

  6. Monitor for persistence indicators: Even after remediation, monitor for signs of re-exploitation or persistence mechanisms planted pre-patch.

Detection Guidance

Log sources:

  • /var/log/web.log on the Connect Secure appliance
  • Network flow logs for unusual outbound connections from the appliance IP
  • Active Directory logs for anomalous authentication events post-VPN login

Suspicious URL patterns in web logs:

/api/v1/auth/../
/api/v1/totp/user-backup-code/../
Double-encoded path traversal: %2F..%2F, %2e%2e%2f

Indicators of Compromise (IOCs):

  • Files with .pl or .cgi extension in /home/webserver/htdocs/dana-na/
  • Modified timestamps on Perl scripts in Ivanti web directories
  • Unexpected cron jobs in /etc/cron.d/
  • Outbound connections to non-Ivanti update server IPs

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Ivanti CVE-2023-46805 Auth Bypass Attempt"; flow:established,to_server; http.uri; content:"/api/v1/auth/"; content:"../"; within:20; distance:0; sid:9000046; rev:1;)

Timeline

DateEvent
December 2023Active exploitation observed by Volexity (UTA0178)
January 10, 2024Ivanti publishes advisory; CISA adds to KEV catalogue
January 11, 2024CISA Emergency Directive 24-01 issued
January 12, 2024Ivanti releases XML mitigation file
January 19, 2024Proof-of-concept exploit released publicly
February 1, 2024Patches released for Connect Secure 22.x
February 2024Mandiant documents LIGHTWIRE/ZIPLINE malware used in attacks

Tags

ivanticonnect-secureauthentication-bypasspath-traversalvpncisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco