CVE-2023-46805 Vulnerability
Published: 12/16/25
Written by: Nadine Rozell
What is CVE-2023-46805 Vulnerability?
CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. In simple terms, it lets an attacker sidestep access controls and get into protected parts of the VPN gateway without needing to log in. This vulnerability is the key that unlocks the door for more severe attacks, especially when combined with a command injection flaw.
When was it discovered?
The vulnerability was disclosed by Ivanti on January 10, 2024, after security researchers observed it being actively exploited in the wild. This wasn't a theoretical bug; attackers were already using it to hit targets. The active exploitation by sophisticated threat actors, including state-sponsored groups, made this a zero-day vulnerability that sent sysadmins everywhere scrambling.
Affected Products & Versions
Product | Versions Affected | Fixed Versions / Patches |
Ivanti Connect Secure (ICS) | 9.x, 22.x | Patches available for all affected versions |
Ivanti Policy Secure | 9.x, 22.x | Patches available for all affected versions |
Ivanti Neurons for ZTA | Not vulnerable |
CVE-2023-46805 technical description
The vulnerability is a path traversal issue within the appliance's web interface. By sending a specially crafted request to the device, an attacker can bypass authentication checks. The exploit involves manipulating certain URI paths to access restricted endpoints. This flaw doesn't grant code execution on its own, but it gives an unauthenticated attacker access to the internal workings of the VPN gateway, setting the stage for a more damaging follow-up attack.
Tactics, Techniques & Procedures (TTPs)
Attackers use CVE-2023-46805 as their way in. They scan the internet for vulnerable Ivanti gateways. Once a target is found, they exploit this vulnerability to bypass the login screen. From there, they almost always chain it with another exploit, like the command injection flaw CVE-2024-21887. This combo allows them to execute arbitrary commands, deploy web shells for persistent access, steal credentials, and pivot deeper into the corporate network.
Indicators of Compromise
Key indicators include unusual entries in the device's web logs, showing access to normally restricted endpoints from unauthenticated IP addresses. Ivanti also released an Integrity Checker Tool that can scan the system for signs of compromise, such as modified files or new, unauthorized processes. EDR and SIEM solutions can be used to monitor for outbound connections from the VPN appliance to suspicious domains or for the creation of web shells in device directories.
Known Proof-of-Concepts & Exploits
This vulnerability was exploited as a zero-day before it was publicly disclosed. Security researchers and threat actors quickly developed and published proof-of-concept code. The exploit chain (CVE-2023-46805 + CVE-2024-21887) has been used by multiple APT groups to gain initial access and establish long-term persistence within target networks across government, defense, and technology sectors.
How to detect CVE-2023-46805 Vulnerability?
First, check if you are running a vulnerable version of Ivanti Connect Secure or Policy Secure. If so, you need to act fast. Run the external Integrity Checker Tool provided by Ivanti to scan for any signs of compromise. This is critical because you may have been compromised before you could patch. Network and log analysis should be performed to look for the specific IOCs associated with the exploit chain.
Impact & risk of CVE-2023-46805 Vulnerability
The impact is severe. Because VPN gateways sit at the edge of a network, their compromise provides a direct path into an organization's internal resources. Successful exploitation of the full chain gives an attacker a powerful foothold to exfiltrate data, deploy ransomware, and conduct espionage. For any organization relying on these appliances for secure remote access, this vulnerability poses a direct and critical threat to the entire network.
Mitigation & remediation strategies
Patching is the top priority. Ivanti has released updates for all affected versions and you need to apply them immediately. Before patching, however, you must run the Integrity Checker Tool to check for signs of compromise. If the tool finds anything, you are in incident response mode. As a temporary measure before patches were available, Ivanti provided a workaround via an XML file import, but this is no substitute for a full patch.
CVE-2023-46805 Vulnerability FAQs
Protect What Matters
