Back to blog
IvantiConnect SecureCVE-2024-21887VPNzero-dayAPT

Ivanti Connect Secure: Critical CVEs 2024 Massively Exploited

Ivanti Connect Secure concentrated the worst vulnerabilities of 2024. Analysis of CVE-2024-21887, CVE-2023-46805, CVE-2024-21893 and hardening measures.

April 23, 20263 min read

In early 2024, Ivanti Connect Secure (formerly Pulse Secure) became the center of the worst VPN security crisis in years. A combination of chained zero-days, massively exploited by APT groups before patches were even published, exposed thousands of enterprises worldwide.

Ivanti Connect Secure: A Critical VPN

Ivanti Connect Secure is one of the most widely deployed SSL VPN solutions in enterprise environments. Its position as a network entry point, access to internal resources, and identity management capabilities make it a strategic target for attackers seeking an initial foothold.

The January 2024 Zero-Day Chain

CVE-2023-46805 — Auth Bypass (CVSS 8.2)

An authentication bypass in Ivanti ICS's web component. By manipulating URL path routing, an attacker can access restricted resources without authenticating.

Affected versions: ICS 9.x, 22.x

CVE-2024-21887 — Command Injection (CVSS 9.1)

A command injection in Ivanti ICS web components. Combined with CVE-2023-46805, it enables unauthenticated remote code execution.

Exploit chain:

CVE-2023-46805 (auth bypass) → CVE-2024-21887 (RCE)
= Arbitrary command execution without credentials

Both CVEs were being exploited as zero-days since early December 2023 — more than a month before Ivanti's public disclosure on January 10, 2024.

CVE-2024-21893 — SSRF (CVSS 8.2)

Disclosed January 31, 2024: a Server-Side Request Forgery in Ivanti ICS's SAML component enabling authentication bypass. Exploited as a zero-day simultaneously with disclosure.

CVE-2024-21888 — Privilege Escalation (CVSS 8.8)

Privilege escalation in the web component allowing root access.

Exploitation by APT Groups

CISA and the FBI confirmed active exploitation by multiple groups:

UNC5221 (attributed to China):

  • First group to exploit the chain in December 2023
  • Deployed GLASSTOKEN web shell for persistence
  • Credential exfiltration and lateral movement

Other groups:

  • Multiple unnamed APTs quickly developed their own exploits after public disclosure
  • Cybercriminal gangs integrated exploits into automated attack kits

Targeted Sectors

Government, defense, telecommunications, finance, healthcare — all sectors using Ivanti Connect Secure for remote access.

Ivanti's Chaotic Response

Ivanti's crisis management was widely criticized:

  1. Patch delays: first official patches weren't available until January 22, 2024 — 12 days after disclosure, and only for some versions
  2. Defective integrity checker: Ivanti's provided tool failed to detect certain advanced persistence methods
  3. Cascading new CVEs: successive patches revealed additional vulnerabilities

CISA took the unusual step of ordering US federal agencies to disconnect all Ivanti devices on February 19, 2024.

Detecting a Compromise

Suspicious Behaviors to Look For

# Connections established to external IPs from the VPN process
netstat -antp | grep ivanti

# Recently modified files in web directories
find /home/webserver/htdocs/ -newer /tmp/ref_date -name "*.cgi" -o -name "*.pl"

# Suspicious processes launched by the VPN service
ps aux | grep -E "curl|wget|python|perl|bash" | grep -v root

Published IOCs

Mandiant and Volexity published detailed IOCs including:

  • Hashes for GLASSTOKEN, CHAINLINE, FRAMESTING web shells
  • C2 IPs used by UNC5221
  • Abnormal HTTP request patterns in logs

Remediation

1. Apply All Available Patches

Ivanti released progressive patches. Check the official Ivanti security page.

2. CISA-Recommended Factory Reset Procedure

For potentially compromised systems, Ivanti and CISA recommend a complete factory reset followed by rebuilding from a clean image — not simply patching.

3. Verify Integrity

# Use Ivanti's ICT (Integrity Checker Tool)
# But note its limitations — supplement with manual forensic analysis

4. Consider Alternatives

Given Ivanti's vulnerability track record, some organizations have migrated to other VPN solutions (Zscaler ZPA, Palo Alto GlobalProtect, Microsoft Always On VPN).

Ivanti CVEs in 2024–2025: The List Grows

Beyond VPNs, other Ivanti products have been affected:

  • CVE-2024-29824 (CVSS 9.6): RCE in Ivanti Endpoint Manager
  • CVE-2024-7593 (CVSS 9.8): Auth bypass in Ivanti vTM
  • CVE-2025-0282 (CVSS 9.0): Stack overflow in ICS, exploited as zero-day in January 2025

Ivanti has become one of the most targeted vendors of 2024–2025.

Monitor all Ivanti CVEs on cveo.tech — register your appliances in your asset inventory for automatic alerts.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

Patch Management Guide: How to Handle CVEs Quickly and Effectively

Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.

How to Monitor CVE Vulnerabilities Across Your IT Assets

A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.

How to Conduct a CVE Security Audit of Your IT Infrastructure

Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.