CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 14 min read

CVE-2023-46805 and CVE-2024-21887 Explained: Ivanti Connect Secure Zero-Day Chain

Two zero-day vulnerabilities in Ivanti Connect Secure, an authentication bypass chained with a command injection, enabled unauthenticated remote code execution on a VPN platform protecting thousands of enterprise and government networks. CISA issued an emergency directive ordering federal agencies to disconnect within 48 hours.

Sources:NVD, CVE-2023-46805|NVD, CVE-2024-21887|Volexity, Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN|Mandiant, Suspected APT Actor Exploits Ivanti Connect Secure Vulnerabilities|CISA Emergency Directive 24-01
9.1
CVE-2024-21887 CVSS (chain)
2,100+
Devices compromised before patch
0-day
14+ days of zero-day exploitation
48hrs
CISA federal disconnect deadline

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2023-46805 and CVE-2024-21887 are two zero-day vulnerabilities in Ivanti Connect Secure, the VPN gateway platform formerly known as Pulse Connect Secure, that when chained produce unauthenticated remote code execution on the appliance. Ivanti Connect Secure is deployed by thousands of enterprises and government agencies as their primary remote access VPN gateway, making its compromise equivalent to defeating the perimeter for everything behind it.

Volexity first observed active exploitation on December 3, 2023. Ivanti published an advisory on January 10, 2024, 38 days after exploitation began, with mitigations and an Integrity Checker Tool, but no patch. Patches for most versions did not arrive until late January and February 2024. CISA issued Emergency Directive 24-01 on January 19, 2024, ordering all federal agencies to disconnect or mitigate within 48 hours. By the time patches were available, over 2,100 devices worldwide had been compromised.

How the Two CVEs Chain to Produce Unauthenticated RCE

Ivanti Connect Secure exposes a web interface for VPN authentication and a separate administrative interface. The authentication bypass (CVE-2023-46805) exploits a flaw in the path-based routing logic for REST API endpoints. Certain API paths that should require authentication are reachable by manipulating the URL to bypass the authentication middleware, similar in concept to ConnectWise ScreenConnect's trailing slash bypass.

With the authentication check bypassed, the attacker has access to administrative API endpoints. CVE-2024-21887 is a command injection vulnerability in one of these endpoints, specifically the web component that handles configuration parameters. By supplying OS command metacharacters in a parameter that is passed unsanitised to a shell command, the attacker executes arbitrary OS commands as the root user on the appliance.

The exploit chain is: (1) bypass authentication via CVE-2023-46805, (2) call the vulnerable administrative endpoint with a command injection payload via CVE-2024-21887, (3) achieve root RCE. The entire chain is executable from the internet-facing side of the appliance with no credentials.

1

Identify internet-exposed Ivanti Connect Secure gateways

Ivanti Connect Secure gateways are identifiable by their SSL VPN login page and certificate. Shodan indexed tens of thousands of exposed instances. Attacker scanning tools focused on gateways running version ranges known to be vulnerable.

2

Bypass authentication via CVE-2023-46805

Send a crafted HTTP request to a REST API endpoint with a URL path that bypasses the authentication middleware. The appliance processes the request as authenticated without verifying credentials.

3

Execute OS commands via CVE-2024-21887

Call the vulnerable administrative API endpoint (accessible via the bypassed authentication) with a parameter containing OS command injection metacharacters. The command executes as root on the VPN appliance.

4

Deploy persistent malware families

UNC5221 deployed LIGHTWIRE (web shell written in Perl embedded in legitimate CGI scripts), ZIPLINE (passive backdoor intercepting network traffic), WARPWIRE (JavaScript credential harvester in the login page), and THINSPOOL (dropper for writing additional payloads to persistent storage).

5

Harvest credentials and pivot to internal network

WARPWIRE collected VPN credentials from users authenticating to the gateway. ZIPLINE enabled passive C2 communications. The compromised gateway's internal routing access enabled lateral movement to internal network segments accessible via VPN.

UNC5221 Malware Families and Tradecraft

UNC5221 demonstrated sophisticated tradecraft specifically designed for VPN appliance persistence. Unlike endpoint-targeted malware, the tools were built for network appliances with embedded operating systems and limited monitoring:

LIGHTWIRE: A web shell written in Perl, embedded directly inside a legitimate Ivanti CGI script (compcheckresult.cgi). It passes through output of the legitimate script while also processing attacker commands, making it difficult to distinguish from normal traffic.

ZIPLINE: A passive backdoor that intercepts network traffic at a low level. It communicates via a custom protocol multiplexed over legitimate HTTPS traffic, making it nearly invisible to network monitoring tools.

WARPWIRE: JavaScript injected into the Ivanti login page that harvests plaintext VPN credentials at the point of entry and exfiltrates them to a remote server. Users logging in normally were unknowingly handing credentials to the attacker.

THINSPOOL: A dropper that writes payloads to the appliance's persistent storage partition, surviving both service restarts and standard upgrade processes, which is why factory reset was required for complete remediation.

UNC5221 modified legitimate Ivanti files and deployed new files to the appliances to establish persistence, harvest credentials, and gain backdoor access. The group demonstrated familiarity with Ivanti's appliance architecture.

Mandiant, January 2024
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Fully Remediating CVE-2023-46805 and CVE-2024-21887

Ivanti released patches on a rolling schedule through January and February 2024. For any device that ran vulnerable firmware in an internet-accessible state, patching alone is insufficient, the factory reset process is mandatory.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The Ivanti Connect Secure zero-day chain illustrates a recurring pattern: VPN appliances are high-value targets because they sit at the perimeter, process authenticated user traffic, and have routing access to internal networks. Compromising the VPN gateway is compromising the perimeter.

UNC5221's toolkit, particularly WARPWIRE's credential harvesting from the login page itself, demonstrates that even users who are not directly exploited become victims. Everyone who authenticated to a compromised Ivanti gateway during the exploitation window had their credentials stolen, regardless of whether their own device was touched.

For organisations still running legacy Pulse Secure hardware rebranded as Ivanti, this vulnerability series is a strong signal to evaluate migration to alternative VPN solutions. Ivanti has disclosed multiple high-severity VPN vulnerabilities across 2023 and 2024, and the appliance architecture has shown repeated susceptibility to persistent compromise.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What are CVE-2023-46805 and CVE-2024-21887?

CVE-2023-46805 is an authentication bypass (CVSS 8.2) in Ivanti Connect Secure and Policy Secure VPN gateways. CVE-2024-21887 is a command injection (CVSS 9.1) in the same products that requires authentication to exploit alone. When chained together, an unauthenticated attacker can bypass authentication via CVE-2023-46805 and then execute arbitrary OS commands via CVE-2024-21887, achieving full remote code execution on the VPN appliance.

Which Ivanti products are affected?

Ivanti Connect Secure (all supported versions as of January 2024) and Ivanti Policy Secure (all supported versions) are affected by both CVEs. Ivanti's ZTA gateways are also impacted by CVE-2023-46805. Cloud Services Application (Ivanti CSA) is not affected by this specific chain.

Were CVE-2023-46805 and CVE-2024-21887 exploited as zero-days?

Yes. Volexity detected active exploitation beginning December 3, 2023, more than five weeks before Ivanti issued an advisory on January 10, 2024. Mandiant confirmed a second threat actor cluster was also exploiting the vulnerabilities independently. At least 2,100 devices globally were compromised before any patch was available.

Who exploited CVE-2023-46805 and CVE-2024-21887?

Mandiant attributed the primary exploitation to UNC5221, a suspected Chinese state-sponsored threat actor. UNC5221 deployed five distinct malware families on compromised Ivanti devices, including LIGHTWIRE (web shell), ZIPLINE (passive backdoor), WARPWIRE (credential harvester), and THINSPOOL (dropper). A second unattributed cluster was also observed exploiting the same vulnerabilities.

What did CISA Emergency Directive 24-01 require?

CISA ED 24-01 required all Federal Civilian Executive Branch agencies to immediately implement Ivanti's published mitigation or disconnect affected Ivanti Connect Secure and Policy Secure products from agency networks by January 22, 2024, 12 days after the advisory. Agencies were also required to hunt for threat actor activity and report their status to CISA.

Why was a factory reset required and not just patching?

The malware families deployed by UNC5221, particularly ZIPLINE and THINSPOOL, survived standard upgrade processes. Ivanti and CISA confirmed that simply applying patches to a compromised device was insufficient because attacker-installed backdoors persisted through upgrades. The recommended remediation required a factory reset to known-good state, followed by patch application, credential rotation, and certificate reissuance.

Sources & references

  1. NVD, CVE-2023-46805
  2. NVD, CVE-2024-21887
  3. Volexity, Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
  4. Mandiant, Suspected APT Actor Exploits Ivanti Connect Secure Vulnerabilities
  5. CISA Emergency Directive 24-01

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.