CVE-2024-21887 Vulnerability: Analysis, Detection, Removal

CVEs are Common Vulnerabilities and Exposures—unique identifiers for publicly known cybersecurity vulnerabilities. CVE-2024-21887 is the other half of a devastating exploit chain targeting Ivanti Connect Secure VPNs. This command injection vulnerability is the haymaker that follows the jab of an authentication bypass, allowing attackers to take complete control of a critical network device.

This page explains how this nasty flaw works, its massive impact when chained with CVE-2023-46805, and the urgent actions you need to take. Let's lock this down.

What is CVE-2024-21887 Vulnerability?

CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways. After an attacker gets past the login page (usually via CVE-2023-46805), this vulnerability lets them run arbitrary commands on the appliance with elevated privileges. It’s the final step in a zero-day exploit chain that gives attackers a powerful, persistent foothold right at your network's edge.

When was it discovered?

This vulnerability was disclosed by Ivanti on January 10, 2024, at the same time as its partner, CVE-2023-46805. The duo was already being exploited in the wild by sophisticated threat actors, making this a major zero-day event. The active attacks targeted government and commercial organizations, proving this was a serious threat from the moment it was announced.

Affected Products & Versions

Product	Versions Affected	Fixed Versions / Patches
Ivanti Connect Secure (ICS)	9.x, 22.x	Patches available for all affected versions
Ivanti Policy Secure	9.x, 22.x	Patches available for all affected versions
Ivanti Neurons for ZTA		Not vulnerable

CVE-2024-21887 technical description

Once an attacker has bypassed authentication using CVE-2023-46805, they can exploit CVE-2024-21887 by sending a specially crafted request to certain web endpoints on the device. Because the system does not properly sanitize user-controlled input, the attacker can inject and execute arbitrary commands. These commands run with high privileges, allowing the attacker to do pretty much anything they want on the appliance, like modifying system files, stealing credentials, or deploying backdoors.

Tactics, Techniques & Procedures (TTPs)

This vulnerability is almost always exploited as part of a chain. First, the attacker uses CVE-2023-46805 to get in. Then, they use CVE-2024-21887 to take over. Common post-exploit activities include deploying web shells for persistence, exfiltrating configuration data (including user credentials), and using the compromised VPN as a pivot point to move deeper into the internal network. It’s a full-blown gateway compromise.

Indicators of Compromise

Indicators for this vulnerability are similar to its partner flaw. Look for suspicious commands being executed by the web server process on the Ivanti appliance. Ivanti's Integrity Checker Tool is designed to spot file modifications and other signs of compromise. From a network perspective, monitor for unexpected outbound traffic from the VPN gateway, as this could be an attacker's command-and-control (C2) channel or data exfiltration.

Known Proof-of-Concepts & Exploits

The exploit chain was used by advanced persistent threat (APT) groups before it was even made public. Since the disclosure, multiple proof-of-concept scripts have been released, making the exploit accessible to a wider range of attackers. The reliability of the exploit chain made it an immediate favorite for threat actors looking to breach secure networks.

How to detect CVE-2024-21887 Vulnerability?

First, identify if you're running a vulnerable version of Ivanti Connect Secure or Policy Secure. If you are, you must run Ivanti's external Integrity Checker Tool immediately to determine if you've been compromised. This is a critical step. Security teams should also analyze device logs for any unusual command executions or file modifications that align with the known IOCs for this attack.

Impact & risk of CVE-2024-21887 Vulnerability

The impact is catastrophic. Full command execution on a perimeter security device like a VPN gateway is a worst-case scenario. It gives an attacker a stable and trusted entry point into your organization. They can intercept traffic, steal credentials, and launch further attacks against your internal infrastructure. For any organization using these devices, this vulnerability represents an urgent and severe risk.

Mitigation & remediation strategies

Patch, patch, patch. Ivanti has released updates for all affected products, and you need to apply them as soon as possible. But don't just patch and walk away. It is absolutely essential to run the Integrity Checker Tool first to look for signs of an existing compromise. If your device is compromised, you must assume your network has been breached and initiate your incident response plan. The patches will lock the door, but you need to make sure no one is already inside.

CVE-2024-21887 Vulnerability FAQs

CVE-2024-21887 is a command injection flaw in Ivanti VPN devices. After an attacker bypasses authentication (usually with CVE-2023-46805), this vulnerability lets them run any command they want on the device with high privileges.

It's the second step in an attack. After getting access, the attacker sends malicious requests to the device's web server. These requests trick the server into executing system commands, giving the attacker full control to install malware or steal data.

Absolutely. Unpatched, internet-facing VPN gateways are high-value targets. Attackers are constantly scanning for them. As long as vulnerable devices exist, this exploit chain will remain a popular method for network intrusion.

Your top priority is to apply the security patches provided by Ivanti. Before patching, you must run the Integrity Checker Tool to check for an existing compromise. If you find one, it's time to call in your incident response team.