CVE-2023-46805 Vulnerability

What is CVE-2023-46805 Vulnerability?

CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. In simple terms, it lets an attacker sidestep access controls and get into protected parts of the VPN gateway without needing to log in. This vulnerability is the key that unlocks the door for more severe attacks, especially when combined with a command injection flaw.

When was it discovered?

The vulnerability was disclosed by Ivanti on January 10, 2024, after security researchers observed it being actively exploited in the wild. This wasn't a theoretical bug; attackers were already using it to hit targets. The active exploitation by sophisticated threat actors, including state-sponsored groups, made this a zero-day vulnerability that sent sysadmins everywhere scrambling.

Affected Products & Versions

Product	Versions Affected	Fixed Versions / Patches
Ivanti Connect Secure (ICS)	9.x, 22.x	Patches available for all affected versions
Ivanti Policy Secure	9.x, 22.x	Patches available for all affected versions
Ivanti Neurons for ZTA		Not vulnerable

CVE-2023-46805 technical description

The vulnerability is a path traversal issue within the appliance's web interface. By sending a specially crafted request to the device, an attacker can bypass authentication checks. The exploit involves manipulating certain URI paths to access restricted endpoints. This flaw doesn't grant code execution on its own, but it gives an unauthenticated attacker access to the internal workings of the VPN gateway, setting the stage for a more damaging follow-up attack.

Tactics, Techniques & Procedures (TTPs)

Attackers use CVE-2023-46805 as their way in. They scan the internet for vulnerable Ivanti gateways. Once a target is found, they exploit this vulnerability to bypass the login screen. From there, they almost always chain it with another exploit, like the command injection flaw CVE-2024-21887. This combo allows them to execute arbitrary commands, deploy web shells for persistent access, steal credentials, and pivot deeper into the corporate network.

Indicators of Compromise

Key indicators include unusual entries in the device's web logs, showing access to normally restricted endpoints from unauthenticated IP addresses. Ivanti also released an Integrity Checker Tool that can scan the system for signs of compromise, such as modified files or new, unauthorized processes. EDR and SIEM solutions can be used to monitor for outbound connections from the VPN appliance to suspicious domains or for the creation of web shells in device directories.

Known Proof-of-Concepts & Exploits

This vulnerability was exploited as a zero-day before it was publicly disclosed. Security researchers and threat actors quickly developed and published proof-of-concept code. The exploit chain (CVE-2023-46805 + CVE-2024-21887) has been used by multiple APT groups to gain initial access and establish long-term persistence within target networks across government, defense, and technology sectors.

How to detect CVE-2023-46805 Vulnerability?

First, check if you are running a vulnerable version of Ivanti Connect Secure or Policy Secure. If so, you need to act fast. Run the external Integrity Checker Tool provided by Ivanti to scan for any signs of compromise. This is critical because you may have been compromised before you could patch. Network and log analysis should be performed to look for the specific IOCs associated with the exploit chain.

Impact & risk of CVE-2023-46805 Vulnerability

The impact is severe. Because VPN gateways sit at the edge of a network, their compromise provides a direct path into an organization's internal resources. Successful exploitation of the full chain gives an attacker a powerful foothold to exfiltrate data, deploy ransomware, and conduct espionage. For any organization relying on these appliances for secure remote access, this vulnerability poses a direct and critical threat to the entire network.

Mitigation & remediation strategies

Patching is the top priority. Ivanti has released updates for all affected versions and you need to apply them immediately. Before patching, however, you must run the Integrity Checker Tool to check for signs of compromise. If the tool finds anything, you are in incident response mode. As a temporary measure before patches were available, Ivanti provided a workaround via an XML file import, but this is no substitute for a full patch.

CVE-2023-46805 Vulnerability FAQs

CVE-2023-46805 is an authentication bypass flaw in Ivanti VPN appliances. It lets an attacker get past the login page by sending a specially crafted web request, giving them access to restricted areas of the device.

It doesn't infect a system, but it opens the door for an infection. Attackers exploit it to get inside the VPN appliance's web interface. From there, they typically use a second vulnerability (like CVE-2024-21887) to run malicious code, install backdoors, and take control.

Yes. Any internet-facing device that remains unpatched is a sitting duck. Attackers are constantly scanning for vulnerable Ivanti gateways. Given the critical position these devices hold, this vulnerability will remain a favorite target for a long time.

Patch now! Applying the official updates from Ivanti is the only real fix. Before you patch, you must run Ivanti's Integrity Checker Tool to ensure you haven't already been compromised. If you find signs of an intrusion, patching alone is not enough—you need to begin a full incident response.