9.1
CVE-2024-21887
- EPSS 94.42%
- Published 12.01.2024 17:15:10
- Last modified 12.02.2025 19:55:33
- Source support@hackerone.com
- Teams watchlist Login
- Open Login
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Data is provided by the National Vulnerability Database (NVD)
Ivanti ≫ Connect Secure Version9.0
Ivanti ≫ Connect Secure Version9.1 Updater1
Ivanti ≫ Connect Secure Version9.1 Updater10
Ivanti ≫ Connect Secure Version9.1 Updater11
Ivanti ≫ Connect Secure Version9.1 Updater11.3
Ivanti ≫ Connect Secure Version9.1 Updater11.4
Ivanti ≫ Connect Secure Version9.1 Updater11.5
Ivanti ≫ Connect Secure Version9.1 Updater12
Ivanti ≫ Connect Secure Version9.1 Updater12.1
Ivanti ≫ Connect Secure Version9.1 Updater13
Ivanti ≫ Connect Secure Version9.1 Updater13.1
Ivanti ≫ Connect Secure Version9.1 Updater14
Ivanti ≫ Connect Secure Version9.1 Updater15
Ivanti ≫ Connect Secure Version9.1 Updater15.2
Ivanti ≫ Connect Secure Version9.1 Updater16
Ivanti ≫ Connect Secure Version9.1 Updater16.1
Ivanti ≫ Connect Secure Version9.1 Updater17
Ivanti ≫ Connect Secure Version9.1 Updater17.1
Ivanti ≫ Connect Secure Version9.1 Updater18
Ivanti ≫ Connect Secure Version9.1 Updater2
Ivanti ≫ Connect Secure Version9.1 Updater3
Ivanti ≫ Connect Secure Version9.1 Updater4
Ivanti ≫ Connect Secure Version9.1 Updater4.1
Ivanti ≫ Connect Secure Version9.1 Updater4.2
Ivanti ≫ Connect Secure Version9.1 Updater4.3
Ivanti ≫ Connect Secure Version9.1 Updater5
Ivanti ≫ Connect Secure Version9.1 Updater6
Ivanti ≫ Connect Secure Version9.1 Updater7
Ivanti ≫ Connect Secure Version9.1 Updater8
Ivanti ≫ Connect Secure Version9.1 Updater8.1
Ivanti ≫ Connect Secure Version9.1 Updater8.2
Ivanti ≫ Connect Secure Version9.1 Updater9
Ivanti ≫ Connect Secure Version9.1 Updater9.1
Ivanti ≫ Connect Secure Version22.1 Updater1
Ivanti ≫ Connect Secure Version22.1 Updater6
Ivanti ≫ Connect Secure Version22.2 Update-
Ivanti ≫ Connect Secure Version22.2 Updater1
Ivanti ≫ Connect Secure Version22.3 Updater1
Ivanti ≫ Connect Secure Version22.4 Updater1
Ivanti ≫ Connect Secure Version22.4 Updater2.1
Ivanti ≫ Connect Secure Version22.5 Updater2.1
Ivanti ≫ Connect Secure Version22.6 Update-
Ivanti ≫ Connect Secure Version22.6 Updater1
Ivanti ≫ Connect Secure Version22.6 Updater2
Ivanti ≫ Policy Secure Version9.0
Ivanti ≫ Policy Secure Version9.1 Updater1
Ivanti ≫ Policy Secure Version9.1 Updater10
Ivanti ≫ Policy Secure Version9.1 Updater11
Ivanti ≫ Policy Secure Version9.1 Updater12
Ivanti ≫ Policy Secure Version9.1 Updater13
Ivanti ≫ Policy Secure Version9.1 Updater13.1
Ivanti ≫ Policy Secure Version9.1 Updater14
Ivanti ≫ Policy Secure Version9.1 Updater15
Ivanti ≫ Policy Secure Version9.1 Updater16
Ivanti ≫ Policy Secure Version9.1 Updater17
Ivanti ≫ Policy Secure Version9.1 Updater18
Ivanti ≫ Policy Secure Version9.1 Updater2
Ivanti ≫ Policy Secure Version9.1 Updater3
Ivanti ≫ Policy Secure Version9.1 Updater3.1
Ivanti ≫ Policy Secure Version9.1 Updater4
Ivanti ≫ Policy Secure Version9.1 Updater4.1
Ivanti ≫ Policy Secure Version9.1 Updater4.2
Ivanti ≫ Policy Secure Version9.1 Updater5
Ivanti ≫ Policy Secure Version9.1 Updater6
Ivanti ≫ Policy Secure Version9.1 Updater7
Ivanti ≫ Policy Secure Version9.1 Updater8
Ivanti ≫ Policy Secure Version9.1 Updater8.1
Ivanti ≫ Policy Secure Version9.1 Updater8.2
Ivanti ≫ Policy Secure Version9.1 Updater9
Ivanti ≫ Policy Secure Version22.1 Updater1
Ivanti ≫ Policy Secure Version22.1 Updater6
Ivanti ≫ Policy Secure Version22.2 Updater1
Ivanti ≫ Policy Secure Version22.2 Updater3
Ivanti ≫ Policy Secure Version22.3 Updater1
Ivanti ≫ Policy Secure Version22.3 Updater3
Ivanti ≫ Policy Secure Version22.4 Updater1
Ivanti ≫ Policy Secure Version22.4 Updater2
Ivanti ≫ Policy Secure Version22.4 Updater2.1
Ivanti ≫ Policy Secure Version22.5 Updater1
Ivanti ≫ Policy Secure Version22.5 Updater2.1
Ivanti ≫ Policy Secure Version22.6 Updater1
10.01.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
VulnerabilityIvanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
DescriptionApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.42% | 1 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.1 | 2.3 | 6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
| support@hackerone.com | 9.1 | 2.3 | 6 |
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.