CVE-2024-21887

Vulnerability updated 3 months ago (2024-08-28T15:17:42.781Z)

Download STIX

Preview STIX

CVE-2024-21887 is a command injection vulnerability found in the web components of Ivanti Connect Secure and Ivanti Policy Secure, specifically in versions 9.x and 22.x. The Cyber Centre was made aware of this flaw, along with an authentication bypass vulnerability (CVE-2023-46805), on January 10, 2024. These vulnerabilities impact both Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways. Details of targeted attacks exploiting these zero-day vulnerabilities were shared publicly by Volexity on the same day, highlighting the threat posed by UTA00178. The actors typically gain initial access by exploiting a public-facing networking device, such as Citrix Netscaler, F5 BIG-IP, Pulse Secure/Ivanti VPNs, or PanOS firewalls. The attack strategy involves using an exploit chain that combines an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take control of susceptible instances. This vulnerability has been exploited in targeted attacks, as evidenced by attack traffic through Ivanti Connect Secure. Within one day of the release of a proof-of-concept (PoC) exploit for CVE-2024-21887, the group known as Magnet Goblin had malware containing the exploit ready. In fact, the new malware strain 'Skibidi' was found to be exploiting this vulnerability in Ivanti Connect Secure products, as well as another vulnerability in TP-Link Archer AX21 Wi-Fi routers. However, protection against this threat is available via the Check Point IPS blade, which covers Ivanti Authentication Bypass (CVE-2023-46805), Ivanti Command Injection (CVE-2024-21887), and Ivanti Server-Side Request Forgery (CVE-2024-21893).

Description last updated: 2024-08-28T15:17:10.495Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ivanti

Vulnerability

Exploit

Vpn

CISA

Volexity

Ics

Zero Day

Malware

Poc

Mandiant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Krustyloader Malware is associated with CVE-2024-21887. KrustyLoader is a malicious software (malware) that has been identified as a significant threat to both Windows and Linux systems. First emerging on March 12, 2024, this malware stands out due to its ability to exploit vulnerabilities in systems, causing severe damage and disruption. This malware ca	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Unc5221 Threat Actor is associated with CVE-2024-21887. UNC5221, a threat actor linked to China, has been identified as the group behind recent cyberattacks involving new malware specifically designed to exploit vulnerabilities in Ivanti Connect Secure VPN and Policy Secure devices. The discovery was made by Mandiant researchers who observed the deployme	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-46805 Vulnerability is associated with CVE-2024-21887. CVE-2023-46805 is an authentication bypass vulnerability that affects all supported versions of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x). The Cyber Centre first became aware of this flaw, along with a command injection vulnerability (CVE-2024-21887), on January 10, 2024	Unspecified	6
The CVE-2024-21893 Vulnerability is associated with CVE-2024-21887. CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability, a flaw in software design or implementation within Ivanti's products. This particular vulnerability has been exploited in targeted attacks as a zero-day, which means it was used by attackers before the vendor became aware of and p	Unspecified	2

Source Document References

Information about the CVE-2024-21887 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
SANS ISC	25 days ago	Two currently (old) exploited Ivanti vulnerabilities - SANS Internet Storm Center
CISA	3 months ago	Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations \| CISA
CERT-EU	10 months ago	Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
Malwarebytes	10 months ago	Ivanti vulnerabilities now actively exploited in massive numbers
CERT-EU	9 months ago	Ivanti follows CISA warning with new protection tool
CERT-EU	8 months ago	Magnet Goblin hackers used Ivanti bugs to drop custom Linux malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
InfoSecurity-magazine	4 months ago	CISA Urges Software Makers to Eliminate OS Command Injection Flaws
CISA	4 months ago	CISA and FBI Release Secure by Design Alert on Eliminating OS Command Injection Vulnerabilities \| CISA
InfoSecurity-magazine	5 months ago	Cyber Attackers Turn to Cloud Services to Deploy Malware
DARKReading	5 months ago	Threat Actor May Have Accessed Sensitive Info on CISA Chemical App
Fortinet	5 months ago	The Growing Threat of Malware Concealed Behind Cloud Services \| FortiGuard Labs
Securityaffairs	5 months ago	CISA confirmed that CSAT environment was breached in January
Securityaffairs	6 months ago	Mirai botnet also spreads through the exploitation of Ivanti Connect Secure bugs
Securityaffairs	7 months ago	MITRE attributes the recent attack to China-linked UNC5221
Unit42	7 months ago	It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
InfoSecurity-magazine	8 months ago	Chinese Groups Deploy New TTPs to Exploit Ivanti Vulnerabilities
Securityaffairs	8 months ago	Ivanti fixed for 4 new issues in Connect Secure and Policy Secure
DARKReading	8 months ago	Ivanti Keeps Security Teams Scrambling With 2 More Vulns
Securityaffairs	8 months ago	Ivanti urges customers to fix critical RCE flaw in Standalone Sentry
CERT-EU	8 months ago	Cyber Security Week in Review: March 15, 2024