Retour au blog
IvantiConnect SecureCVE-2024-21887VPNzero-dayAPT

Ivanti Connect Secure: Critical CVEs 2024 Massively Exploited

Ivanti Connect Secure concentrated the worst vulnerabilities of 2024. Analysis of CVE-2024-21887, CVE-2023-46805, CVE-2024-21893 and hardening measures.

23 avril 20263 min de lecture

In early 2024, Ivanti Connect Secure (formerly Pulse Secure) became the center of the worst VPN security crisis in years. A combination of chained zero-days, massively exploited by APT groups before patches were even published, exposed thousands of enterprises worldwide.

Ivanti Connect Secure: A Critical VPN

Ivanti Connect Secure is one of the most widely deployed SSL VPN solutions in enterprise environments. Its position as a network entry point, access to internal resources, and identity management capabilities make it a strategic target for attackers seeking an initial foothold.

The January 2024 Zero-Day Chain

CVE-2023-46805 — Auth Bypass (CVSS 8.2)

An authentication bypass in Ivanti ICS's web component. By manipulating URL path routing, an attacker can access restricted resources without authenticating.

Affected versions: ICS 9.x, 22.x

CVE-2024-21887 — Command Injection (CVSS 9.1)

A command injection in Ivanti ICS web components. Combined with CVE-2023-46805, it enables unauthenticated remote code execution.

Exploit chain:

CVE-2023-46805 (auth bypass) → CVE-2024-21887 (RCE)
= Arbitrary command execution without credentials

Both CVEs were being exploited as zero-days since early December 2023 — more than a month before Ivanti's public disclosure on January 10, 2024.

CVE-2024-21893 — SSRF (CVSS 8.2)

Disclosed January 31, 2024: a Server-Side Request Forgery in Ivanti ICS's SAML component enabling authentication bypass. Exploited as a zero-day simultaneously with disclosure.

CVE-2024-21888 — Privilege Escalation (CVSS 8.8)

Privilege escalation in the web component allowing root access.

Exploitation by APT Groups

CISA and the FBI confirmed active exploitation by multiple groups:

UNC5221 (attributed to China):

  • First group to exploit the chain in December 2023
  • Deployed GLASSTOKEN web shell for persistence
  • Credential exfiltration and lateral movement

Other groups:

  • Multiple unnamed APTs quickly developed their own exploits after public disclosure
  • Cybercriminal gangs integrated exploits into automated attack kits

Targeted Sectors

Government, defense, telecommunications, finance, healthcare — all sectors using Ivanti Connect Secure for remote access.

Ivanti's Chaotic Response

Ivanti's crisis management was widely criticized:

  1. Patch delays: first official patches weren't available until January 22, 2024 — 12 days after disclosure, and only for some versions
  2. Defective integrity checker: Ivanti's provided tool failed to detect certain advanced persistence methods
  3. Cascading new CVEs: successive patches revealed additional vulnerabilities

CISA took the unusual step of ordering US federal agencies to disconnect all Ivanti devices on February 19, 2024.

Detecting a Compromise

Suspicious Behaviors to Look For

# Connections established to external IPs from the VPN process
netstat -antp | grep ivanti

# Recently modified files in web directories
find /home/webserver/htdocs/ -newer /tmp/ref_date -name "*.cgi" -o -name "*.pl"

# Suspicious processes launched by the VPN service
ps aux | grep -E "curl|wget|python|perl|bash" | grep -v root

Published IOCs

Mandiant and Volexity published detailed IOCs including:

  • Hashes for GLASSTOKEN, CHAINLINE, FRAMESTING web shells
  • C2 IPs used by UNC5221
  • Abnormal HTTP request patterns in logs

Remediation

1. Apply All Available Patches

Ivanti released progressive patches. Check the official Ivanti security page.

2. CISA-Recommended Factory Reset Procedure

For potentially compromised systems, Ivanti and CISA recommend a complete factory reset followed by rebuilding from a clean image — not simply patching.

3. Verify Integrity

# Use Ivanti's ICT (Integrity Checker Tool)
# But note its limitations — supplement with manual forensic analysis

4. Consider Alternatives

Given Ivanti's vulnerability track record, some organizations have migrated to other VPN solutions (Zscaler ZPA, Palo Alto GlobalProtect, Microsoft Always On VPN).

Ivanti CVEs in 2024–2025: The List Grows

Beyond VPNs, other Ivanti products have been affected:

  • CVE-2024-29824 (CVSS 9.6): RCE in Ivanti Endpoint Manager
  • CVE-2024-7593 (CVSS 9.8): Auth bypass in Ivanti vTM
  • CVE-2025-0282 (CVSS 9.0): Stack overflow in ICS, exploited as zero-day in January 2025

Ivanti has become one of the most targeted vendors of 2024–2025.

Monitor all Ivanti CVEs on cveo.tech — register your appliances in your asset inventory for automatic alerts.

Surveillez les CVE avec l'IA

Recherche IA, scoring CVSS, surveillance de parc et alertes automatiques.

Essayer la recherche IA →Créer un compte gratuit

Articles similaires

Comment suivre les vulnérabilités CVE de son parc informatique

Guide complet pour surveiller et gérer les CVE affectant votre parc informatique : méthodes, outils et bonnes pratiques pour les équipes IT et RSSI.

Guide du patch management : comment traiter les CVE rapidement et efficacement

Découvrez comment mettre en place un processus de patch management CVE robuste : SLA par sévérité, étapes clés, outils et erreurs à éviter pour protéger votre SI.

Les meilleurs outils CVE en 2026 : comparatif complet

Comparatif des meilleurs outils de gestion et surveillance CVE en 2026 : solutions open source, plateformes SaaS, scanners. Quel outil choisir selon votre contexte ?