In early January 2024, Ivanti disclosed two critical vulnerabilities affecting their Connect Secure (formerly Pulse Secure) VPN appliances. When chained together, CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) allow an unauthenticated attacker to achieve remote code execution on one of the most widely deployed enterprise VPN platforms.
Vulnerability Chain Analysis
The first vulnerability, CVE-2023-46805, exploits a path traversal flaw in the web component to bypass authentication checks. Specific API endpoints that should require admin credentials can be accessed by manipulating the request URI. This alone is serious, but the real danger emerges when combined with the second flaw.
CVE-2024-21887 is a command injection vulnerability in multiple web components accessible to authenticated administrators. By chaining the authentication bypass with this injection point, an attacker can execute arbitrary commands as root without any credentials whatsoever.
Active Exploitation and Threat Actor Activity
Our threat intelligence team tracked exploitation in the wild beginning December 2023, weeks before the public disclosure. Attribution analysis linked early exploitation to a sophisticated threat actor cluster we track as UTA0178, later confirmed by Mandiant as a China-nexus espionage group. The attackers deployed webshells, credential harvesters, and lateral movement tools across victim networks.
By mid-January, mass exploitation was underway. Our honeypot network detected scanning and exploitation attempts from over 200 unique source IPs within the first 48 hours of PoC availability. CISA issued an emergency directive requiring all federal agencies to disconnect affected devices.
IOCs and Detection
Key indicators include modifications to legitimate Ivanti files (particularly in /home/perl/ and /home/webserver/), unexpected cron entries, and outbound connections to known C2 infrastructure. We have published YARA rules and Snort signatures for detecting exploitation attempts in our Strobes Threat Intel feed.
Organizations running Ivanti Connect Secure should assume compromise if they were running vulnerable versions before patching and conduct thorough forensic investigation of affected appliances.