CVE-2024-21893: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
First published: Wed Jan 31 2024(Updated: )
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ivanti Connect Secure | ||
| Ivanti Connect Secure (ICS) VPN | =9.0 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r1 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r2 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r2.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r3 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r3.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r3.2 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r3.3 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r3.5 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r4 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r4.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r5.0 | |
| Ivanti Connect Secure (ICS) VPN | =9.0-r6.0 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r1 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r10 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r11 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r11.3 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r11.4 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r11.5 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r12 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r12.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r13 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r13.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r14 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r15 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r15.2 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r16 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r16.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r17 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r17.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r18 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r18.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r18.2 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r2 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r3 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r4 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r4.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r4.2 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r4.3 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r5 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r6 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r7 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r8 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r8.1 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r8.2 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r9 | |
| Ivanti Connect Secure (ICS) VPN | =9.1-r9.1 | |
| Ivanti Connect Secure (ICS) VPN | =21.9-r1 | |
| Ivanti Connect Secure (ICS) VPN | =21.12-r1 | |
| Ivanti Connect Secure (ICS) VPN | =22.1-r1 | |
| Ivanti Connect Secure (ICS) VPN | =22.1-r6 | |
| Ivanti Connect Secure (ICS) VPN | =22.2 | |
| Ivanti Connect Secure (ICS) VPN | =22.2-r1 | |
| Ivanti Connect Secure (ICS) VPN | =22.3-r1 | |
| Ivanti Connect Secure (ICS) VPN | =22.4-r1 | |
| Ivanti Connect Secure (ICS) VPN | =22.4-r2.1 | |
| Ivanti Connect Secure (ICS) VPN | =22.6 | |
| Ivanti Connect Secure (ICS) VPN | =22.6-r1 | |
| Ivanti Connect Secure (ICS) VPN | =22.6-r2 | |
| Ivanti Connect Secure (ICS) VPN | =22.6-r2.1 | |
| Pulse Policy Secure | =9.0 | |
| Pulse Policy Secure | =9.0-r1 | |
| Pulse Policy Secure | =9.0-r2 | |
| Pulse Policy Secure | =9.0-r2.1 | |
| Pulse Policy Secure | =9.0-r3 | |
| Pulse Policy Secure | =9.0-r3.1 | |
| Pulse Policy Secure | =9.0-r4 | |
| Pulse Policy Secure | =9.1 | |
| Pulse Policy Secure | =9.1-r1 | |
| Pulse Policy Secure | =9.1-r10 | |
| Pulse Policy Secure | =9.1-r11 | |
| Pulse Policy Secure | =9.1-r12 | |
| Pulse Policy Secure | =9.1-r13 | |
| Pulse Policy Secure | =9.1-r13.1 | |
| Pulse Policy Secure | =9.1-r14 | |
| Pulse Policy Secure | =9.1-r15 | |
| Pulse Policy Secure | =9.1-r16 | |
| Pulse Policy Secure | =9.1-r17 | |
| Pulse Policy Secure | =9.1-r18 | |
| Pulse Policy Secure | =9.1-r18.1 | |
| Pulse Policy Secure | =9.1-r18.2 | |
| Pulse Policy Secure | =9.1-r2 | |
| Pulse Policy Secure | =9.1-r3 | |
| Pulse Policy Secure | =9.1-r3.1 | |
| Pulse Policy Secure | =9.1-r4 | |
| Pulse Policy Secure | =9.1-r4.1 | |
| Pulse Policy Secure | =9.1-r4.2 | |
| Pulse Policy Secure | =9.1-r4.3 | |
| Pulse Policy Secure | =9.1-r5 | |
| Pulse Policy Secure | =9.1-r6 | |
| Pulse Policy Secure | =9.1-r7 | |
| Pulse Policy Secure | =9.1-r8 | |
| Pulse Policy Secure | =9.1-r8.1 | |
| Pulse Policy Secure | =9.1-r8.2 | |
| Pulse Policy Secure | =9.1-r9 | |
| Pulse Policy Secure | =22.1-r1 | |
| Pulse Policy Secure | =22.1-r6 | |
| Pulse Policy Secure | =22.2-r1 | |
| Pulse Policy Secure | =22.2-r3 | |
| Pulse Policy Secure | =22.3-r1 | |
| Pulse Policy Secure | =22.3-r3 | |
| Pulse Policy Secure | =22.4-r1 | |
| Pulse Policy Secure | =22.4-r2 | |
| Pulse Policy Secure | =22.4-r2.1 | |
| Pulse Policy Secure | =22.5-r1 | |
| Pulse Policy Secure | =22.6-r1 | |
| Ivanti Neurons for Zero Trust Access | ||
| Ivanti Neurons for Zero Trust Access | =22.2-r1 | |
| Ivanti Neurons for Zero Trust Access | =22.2-r4 | |
| Ivanti Neurons for Zero Trust Access | =22.2-r5 | |
| Ivanti Neurons for Zero Trust Access | =22.3-r1 | |
| Ivanti Neurons for Zero Trust Access | =22.3-r4 | |
| Ivanti Neurons for Zero Trust Access | =22.4-r1 | |
| Ivanti Neurons for Zero Trust Access | =22.4-r3 | |
| Ivanti Neurons for Zero Trust Access | =22.5-r1 | |
| Ivanti Neurons for Zero Trust Access | =22.5-r1.2 | |
| Ivanti Neurons for Zero Trust Access | =22.6-r1 | |
| Ivanti Neurons for Zero Trust Access | =22.6-r1.2 |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-zero-day-exploited-in-attacks/
- https://www.theregister.com/2024/01/31/ivanti_patches_zero_days/
- https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-disconnect-ivanti-vpn-appliances-by-saturday/
- https://www.bleepingcomputer.com/news/security/newest-ivanti-ssrf-zero-day-now-under-mass-exploitation/
- https://www.theregister.com/2024/02/05/ivanti_zero_day/
- https://www.bleepingcomputer.com/news/security/ivanti-patch-new-connect-secure-auth-bypass-bug-immediately/
- https://www.bleepingcomputer.com/news/security/hackers-exploit-ivanti-ssrf-flaw-to-deploy-new-dslog-backdoor/
- https://www.bleepingcomputer.com/news/security/over-13-000-ivanti-gateways-vulnerable-to-actively-exploited-bugs/
- https://www.bleepingcomputer.com/news/security/cisa-warns-against-using-hacked-ivanti-devices-even-after-factory-resets/
- https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-hacked-ivanti-vpn-gateways-even-after-factory-resets/
- https://www.bleepingcomputer.com/news/security/magnet-goblin-hackers-use-1-day-flaws-to-drop-custom-linux-malware/
- https://www.bleepingcomputer.com/news/security/ivanti-fixes-critical-standalone-sentry-bug-reported-by-nato/
- https://www.bleepingcomputer.com/news/security/ivanti-fixes-vpn-gateway-vulnerability-allowing-rce-dos-attacks/
- https://www.bleepingcomputer.com/news/security/new-ivanti-rce-flaw-may-impact-16-000-exposed-vpn-gateways/
- https://www.bleepingcomputer.com/news/security/chemical-facilities-warned-of-possible-data-theft-in-cisa-csat-breach/
- https://www.theregister.com/2024/06/25/cisa_ivanti_chemical_facilities/
- https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-vtm-auth-bypass-with-public-exploit/
- https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US;
- https://nvd.nist.gov/vuln/detail/CVE-2024-21893
- https://www.bleepingcomputer.com/news/security/ivanti-fixes-maximum-severity-rce-bug-in-endpoint-management-software/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2024-21893?
CVE-2024-21893 is considered a critical vulnerability due to its potential to allow unauthorized access to restricted resources.
How do I fix CVE-2024-21893?
To mitigate CVE-2024-21893, it is recommended to apply the latest security patches released by Ivanti for affected products.
Which products are affected by CVE-2024-21893?
CVE-2024-21893 affects Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access versions 9.x and 22.x.
How can attackers exploit CVE-2024-21893?
Attackers can exploit CVE-2024-21893 through server-side request forgery to access restricted resources without authentication.
Is there a known active exploit for CVE-2024-21893?
Yes, there are reports indicating that CVE-2024-21893 is actively being exploited in the wild.
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-21893
- alias/CVE-2024-21888
- alias/CVE-2023-46805
- alias/CVE-2024-21887
- agent/type
- collector/the-register
- source/The Register
- agent/remedy
- agent/title
- agent/first-publish-date
- agent/description
- alias/CVE-2024-22024
- alias/CVE-2021-22893
- agent/weakness
- alias/CVE-2023-41265
- alias/CVE-2023-41266
- alias/CVE-2023-48365
- alias/CVE-2022-24086
- agent/severity
- alias/CVE-2023-41724
- alias/CVE-2023-46808
- alias/CVE-2024-21894
- collector/epss-latest
- source/FIRST
- agent/epss
- zeroday/true
- agent/news-ai
- collector/mitre-cve
- source/MITRE
- alias/CVE-2024-7593
- alias/CVE-2024-7569
- agent/author
- alias/CVE-2024-29847
- alias/CVE-2023-39336
- agent/references
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- vendor/ivanti
- canonical/ivanti connect secure
- canonical/ivanti connect secure (ics) vpn
- version/ivanti connect secure (ics) vpn/9.0
- version/ivanti connect secure (ics) vpn/9.0-r1
- version/ivanti connect secure (ics) vpn/9.0-r2
- version/ivanti connect secure (ics) vpn/9.0-r2.1
- version/ivanti connect secure (ics) vpn/9.0-r3
- version/ivanti connect secure (ics) vpn/9.0-r3.1
- version/ivanti connect secure (ics) vpn/9.0-r3.2
- version/ivanti connect secure (ics) vpn/9.0-r3.3
- version/ivanti connect secure (ics) vpn/9.0-r3.5
- version/ivanti connect secure (ics) vpn/9.0-r4
- version/ivanti connect secure (ics) vpn/9.0-r4.1
- version/ivanti connect secure (ics) vpn/9.0-r5.0
- version/ivanti connect secure (ics) vpn/9.0-r6.0
- version/ivanti connect secure (ics) vpn/9.1-r1
- version/ivanti connect secure (ics) vpn/9.1-r10
- version/ivanti connect secure (ics) vpn/9.1-r11
- version/ivanti connect secure (ics) vpn/9.1-r11.3
- version/ivanti connect secure (ics) vpn/9.1-r11.4
- version/ivanti connect secure (ics) vpn/9.1-r11.5
- version/ivanti connect secure (ics) vpn/9.1-r12
- version/ivanti connect secure (ics) vpn/9.1-r12.1
- version/ivanti connect secure (ics) vpn/9.1-r13
- version/ivanti connect secure (ics) vpn/9.1-r13.1
- version/ivanti connect secure (ics) vpn/9.1-r14
- version/ivanti connect secure (ics) vpn/9.1-r15
- version/ivanti connect secure (ics) vpn/9.1-r15.2
- version/ivanti connect secure (ics) vpn/9.1-r16
- version/ivanti connect secure (ics) vpn/9.1-r16.1
- version/ivanti connect secure (ics) vpn/9.1-r17
- version/ivanti connect secure (ics) vpn/9.1-r17.1
- version/ivanti connect secure (ics) vpn/9.1-r18
- version/ivanti connect secure (ics) vpn/9.1-r18.1
- version/ivanti connect secure (ics) vpn/9.1-r18.2
- version/ivanti connect secure (ics) vpn/9.1-r2
- version/ivanti connect secure (ics) vpn/9.1-r3
- version/ivanti connect secure (ics) vpn/9.1-r4
- version/ivanti connect secure (ics) vpn/9.1-r4.1
- version/ivanti connect secure (ics) vpn/9.1-r4.2
- version/ivanti connect secure (ics) vpn/9.1-r4.3
- version/ivanti connect secure (ics) vpn/9.1-r5
- version/ivanti connect secure (ics) vpn/9.1-r6
- version/ivanti connect secure (ics) vpn/9.1-r7
- version/ivanti connect secure (ics) vpn/9.1-r8
- version/ivanti connect secure (ics) vpn/9.1-r8.1
- version/ivanti connect secure (ics) vpn/9.1-r8.2
- version/ivanti connect secure (ics) vpn/9.1-r9
- version/ivanti connect secure (ics) vpn/9.1-r9.1
- version/ivanti connect secure (ics) vpn/21.9-r1
- version/ivanti connect secure (ics) vpn/21.12-r1
- version/ivanti connect secure (ics) vpn/22.1-r1
- version/ivanti connect secure (ics) vpn/22.1-r6
- version/ivanti connect secure (ics) vpn/22.2
- version/ivanti connect secure (ics) vpn/22.2-r1
- version/ivanti connect secure (ics) vpn/22.3-r1
- version/ivanti connect secure (ics) vpn/22.4-r1
- version/ivanti connect secure (ics) vpn/22.4-r2.1
- version/ivanti connect secure (ics) vpn/22.6
- version/ivanti connect secure (ics) vpn/22.6-r1
- version/ivanti connect secure (ics) vpn/22.6-r2
- version/ivanti connect secure (ics) vpn/22.6-r2.1
- canonical/pulse policy secure
- version/pulse policy secure/9.0
- version/pulse policy secure/9.0-r1
- version/pulse policy secure/9.0-r2
- version/pulse policy secure/9.0-r2.1
- version/pulse policy secure/9.0-r3
- version/pulse policy secure/9.0-r3.1
- version/pulse policy secure/9.0-r4
- version/pulse policy secure/9.1
- version/pulse policy secure/9.1-r1
- version/pulse policy secure/9.1-r10
- version/pulse policy secure/9.1-r11
- version/pulse policy secure/9.1-r12
- version/pulse policy secure/9.1-r13
- version/pulse policy secure/9.1-r13.1
- version/pulse policy secure/9.1-r14
- version/pulse policy secure/9.1-r15
- version/pulse policy secure/9.1-r16
- version/pulse policy secure/9.1-r17
- version/pulse policy secure/9.1-r18
- version/pulse policy secure/9.1-r18.1
- version/pulse policy secure/9.1-r18.2
- version/pulse policy secure/9.1-r2
- version/pulse policy secure/9.1-r3
- version/pulse policy secure/9.1-r3.1
- version/pulse policy secure/9.1-r4
- version/pulse policy secure/9.1-r4.1
- version/pulse policy secure/9.1-r4.2
- version/pulse policy secure/9.1-r4.3
- version/pulse policy secure/9.1-r5
- version/pulse policy secure/9.1-r6
- version/pulse policy secure/9.1-r7
- version/pulse policy secure/9.1-r8
- version/pulse policy secure/9.1-r8.1
- version/pulse policy secure/9.1-r8.2
- version/pulse policy secure/9.1-r9
- version/pulse policy secure/22.1-r1
- version/pulse policy secure/22.1-r6
- version/pulse policy secure/22.2-r1
- version/pulse policy secure/22.2-r3
- version/pulse policy secure/22.3-r1
- version/pulse policy secure/22.3-r3
- version/pulse policy secure/22.4-r1
- version/pulse policy secure/22.4-r2
- version/pulse policy secure/22.4-r2.1
- version/pulse policy secure/22.5-r1
- version/pulse policy secure/22.6-r1
- canonical/ivanti neurons for zero trust access
- version/ivanti neurons for zero trust access/22.2-r1
- version/ivanti neurons for zero trust access/22.2-r4
- version/ivanti neurons for zero trust access/22.2-r5
- version/ivanti neurons for zero trust access/22.3-r1
- version/ivanti neurons for zero trust access/22.3-r4
- version/ivanti neurons for zero trust access/22.4-r1
- version/ivanti neurons for zero trust access/22.4-r3
- version/ivanti neurons for zero trust access/22.5-r1
- version/ivanti neurons for zero trust access/22.5-r1.2
- version/ivanti neurons for zero trust access/22.6-r1
- version/ivanti neurons for zero trust access/22.6-r1.2