Threats / Ivanti / CVE-2024-21887
CVE-2024-21887
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Ivanti Connect Secure and Policy vulnerability
Ivanti Connect Secure and Policy Secure contain a command injection vulnerability in web components allowing authenticated administrators to execute arbitrary code on affected appliances.
Verdict
Today item, not a backlog item.
An authenticated attacker can inject commands through crafted web requests to achieve remote code execution on Ivanti Connect Secure and Policy Secure appliances. When combined with CVE-2023-46805, unauthenticated attackers may bypass authentication and exploit this vulnerability.
CISA KEV Yes · 2024-01-103Ransomware use Flagged3EPSS 0.99999 (verify live)4Exploit Weaponized · public PoC5
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
885 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-01-10), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.99999 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Ivanti, Connect Secure and Policy Secure. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-77 Command Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyVolt Typhoon State-sponsored (PRC)
CISA, NSA and FBI's AA24-038A attributes pre-positioning on US critical-infrastructure IT networks to Volt Typhoon, naming the group's exploitation of public-facing appliance vulnerabilities including the Ivanti Connect Secure (CVE-2024-21887) and Fortinet FortiOS (CVE-2022-42475) CVEs.15
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I exploit CVE-2023-46805 to bypass authentication and gain administrative access to the appliance.
Business
Security perimeter is compromised as authentication controls fail to prevent unauthorized administrative access.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I craft malicious web requests containing command injection payloads and send them to the vulnerable web components.
Business
Input validation failures allow arbitrary code execution within the appliance infrastructure.
3
Lateral reach — past segmentation narrative 3
Attacker
I execute arbitrary commands with appliance privileges to establish persistence, exfiltrate data, or deploy ransomware.
Business
Complete compromise of VPN and policy infrastructure enables lateral movement, data theft, and operational disruption through ransomware deployment.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05