CVE-2024-21893 High Patch Available

CVE-2024-21893: Ivanti Connect Secure — SSRF to Authentication Bypass

Vuln Brief Research Team · · CVSS 8.2

CVE Details

CVE ID CVE-2024-21893
CVSS Score 8.2
Severity High
Vendor Ivanti
Product Connect Secure / Policy Secure
Patch Status Available
Published April 1, 2026

Background

Ivanti Connect Secure (formerly Pulse Secure) is a widely-deployed enterprise SSL VPN solution used across government, healthcare, and critical infrastructure sectors. CVE-2024-21893 is the third in a series of critical vulnerabilities disclosed in Ivanti’s VPN products in early 2024, following CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) from January.

CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure and Policy Secure. Disclosed on January 31, 2024 — just weeks after the January advisories — it allowed attackers to bypass authentication and access restricted resources. Its rapid disclosure following the earlier CVE pair suggests ongoing security research specifically targeting Ivanti’s codebase in the wake of the January exploitation wave.

Technical Mechanism

Server-Side Request Forgery (SSRF) vulnerabilities allow an attacker to cause the server to make HTTP requests to internal resources. In CVE-2024-21893’s case, the SSRF is in the SAML (Security Assertion Markup Language) processing component of Ivanti Connect Secure.

SAML is an XML-based authentication protocol used for federated single sign-on. When a user authenticates via SAML, the VPN appliance processes SAML assertions from an Identity Provider (IdP). The SAML assertion may reference external URLs for metadata or configuration, and the vulnerable component fetches these URLs server-side.

The SSRF vulnerability in the SAML component:

  1. An attacker crafts a malicious SAML request that contains a reference to an internal URL
  2. The Ivanti appliance’s SAML processor fetches the referenced URL server-side
  3. This allows the attacker to cause the appliance to make requests to:
    • Internal management APIs (not normally internet-accessible)
    • Internal REST endpoints that check for localhost-based access rather than authentication tokens
    • Other internal services accessible from the appliance’s network position

In the specific context of Ivanti Connect Secure, certain management API endpoints use source IP address as a trust mechanism (requests from 127.0.0.1/localhost are trusted). By using SSRF to cause the appliance to request these endpoints as if from localhost, an attacker can:

  • Access authenticated administrative API endpoints without credentials
  • Retrieve configuration data
  • Potentially trigger administrative actions

This SSRF-to-auth-bypass pattern is particularly powerful when the internal APIs have no authentication (relying entirely on network-level access control) or when certain endpoints are accessible only from localhost.

Combined with CVE-2024-21887 (command injection), this vulnerability could enable a more targeted attack path through the SAML stack rather than the API stack used in the January exploit chain.

Real-World Exploitation Evidence

CISA added CVE-2024-21893 to its KEV catalogue on February 2, 2024, confirming exploitation in the wild. The exploitation context:

  • Exploitation alongside January CVEs: Threat actors who had been exploiting CVE-2023-46805 and CVE-2024-21887 rapidly incorporated CVE-2024-21893 into their toolkits.
  • Multiple access paths: Having multiple exploit chains for the same product is tactically valuable — if defenders patch or detect one chain, attackers can switch to another.
  • Targeted government infrastructure: CISA’s emergency directive included CVE-2024-21893 specifically due to government VPN exploitation.
  • SAML configuration dependency: The vulnerability requires SAML authentication to be configured on the affected appliance — a common enterprise configuration for SSO deployments.

Impact Assessment

SSRF-based authentication bypass on a VPN appliance provides:

  • Internal API access: Ability to query or manipulate internal management APIs that rely on network-level access controls.
  • Chaining with command injection: When combined with CVE-2024-21887, the two-CVE chain provides an alternative unauthenticated RCE path through the SAML stack.
  • Credential harvesting: Access to authentication-protected configuration data including VPN user credentials, certificates, and SAML configuration (including private keys).
  • Network mapping: SSRF can be used to probe internal network services accessible from the VPN appliance’s position on the network.

Affected Versions

ProductAffected VersionsFixed Version
Ivanti Connect Secure9.x, 22.x22.7R2.4+
Ivanti Policy Secure9.x, 22.x22.7R1.2+
Ivanti Neurons for ZTA22.x22.7R2.3+

The same patches that address CVE-2023-46805 and CVE-2024-21887 also address CVE-2024-21893.

Remediation Steps

  1. Apply Ivanti patches: The fixes for CVE-2024-21893 are included in the same patch releases as the January 2024 vulnerability fixes. Ensure you have applied patches released in February 2024 or later.

  2. Verify SAML configuration: Review whether your deployment uses SAML authentication. If SAML is not used, this specific vulnerability has no exploitable attack surface (though other vulnerabilities still apply).

  3. Run Integrity Checker Tool: Before and after patching, run Ivanti’s ICT to check for signs of compromise:

    • Via admin UI: Maintenance > Diagnostics > Integrity Check

  4. Apply interim XML mitigation: If immediate patching is not possible, Ivanti’s published mitigation XML file restricts access to the vulnerable SAML endpoints.

  5. Monitor SAML processing logs: Review logs for unusual SAML assertion processing activity, particularly requests with internal IP addresses or file:// or http://127.0.0.1 references in SAML content.

  6. Treat all credentials as potentially compromised: If your device was exposed and unpatched during the exploitation window, treat all VPN credentials as compromised.

Detection Guidance

Log sources:

  • Ivanti Connect Secure web logs: /var/log/web.log
  • SAML authentication logs: /var/log/cav.log
  • Network flow logs for internal-to-internal requests from the appliance IP

Suspicious patterns:

  • SAML assertion XML containing http://127.0.0.1, http://localhost, or RFC1918 addresses in <ds:Reference> or similar elements
  • Unexpected HTTP requests from the appliance IP to internal management ports

SAML payload detection:

<!-- Suspicious SAML with internal URL reference -->
<saml:Attribute Name="url">
  <saml:AttributeValue>http://127.0.0.1:8443/api/v1/config</saml:AttributeValue>
</saml:Attribute>

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Ivanti Connect Secure CVE-2024-21893 SAML SSRF"; flow:established,to_server; http.request_body; content:"127.0.0.1"; http.request_body; content:"saml"; nocase; distance:0; within:500; sid:9002189; rev:1;)

Timeline

DateEvent
January 2024Ivanti researchers and external researchers discover CVE-2024-21893
January 31, 2024Ivanti publishes advisory for CVE-2024-21893 (alongside CVE-2024-21888)
February 2, 2024CISA adds CVE-2024-21893 to KEV catalogue
February 2024Patches released; threat actors incorporate into attack chains
February 2024CISA Emergency Directive updated to include CVE-2024-21893

Tags

ivanticonnect-securessrfsamlauthentication-bypassvpncisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco