CVE-2024-21887 & CVE-2023-46805: Ivanti Connect Secure Chained Exploits Enable Unauthenticated RCE

Affected Product: Ivanti Connect Secure (ICS) and Ivanti Policy Secure, all versions prior to the patched releases issued in February 2024.

Vulnerability Overview

Two vulnerabilities in Ivanti Connect Secure — CVE-2023-46805 and CVE-2024-21887 — are being actively chained to achieve unauthenticated remote code execution on exposed gateway appliances.

CVE-2023-46805 is an authentication bypass flaw (CVSS 8.2) in the web component of Ivanti Connect Secure and Policy Secure. An unauthenticated remote attacker can bypass control checks and access restricted resources by manipulating request paths. The flaw resides in the /api/v1/totp/user-backup-code endpoint and related REST API surfaces.

CVE-2024-21887 is a command injection vulnerability (CVSS 9.1) in the same web component. An authenticated administrator can send specially crafted requests to execute arbitrary commands on the appliance. When combined with CVE-2023-46805, authentication is no longer required — the bypass feeds directly into the injection, producing a full unauthenticated RCE chain.

Attack vector: Network. Attack complexity: Low. Privileges required: None (when chained). No user interaction is required.

Exploitation in the Wild

Mandiant and Volexity both confirmed active exploitation beginning as early as December 2023, predating any public patch availability. The threat group UTA0178, subsequently linked by Mandiant to a China-nexus espionage cluster tracked as UNC5221, deployed multiple custom malware families against compromised appliances.

Observed post-exploitation activity included:

  • Deployment of LIGHTWIRE, a web shell embedded in a legitimate Connect Secure component.
  • Deployment of WIREFIRE (also called GIFTEDVISITOR), a Python-based backdoor supporting unauthenticated arbitrary command execution.
  • Deployment of BUSHWALK, a passive implant used to relay commands from attacker infrastructure through the compromised gateway.
  • Credential harvesting from active VPN sessions traversing the appliance.
  • Lateral movement into downstream enterprise environments using harvested credentials and session tokens.

Because Connect Secure appliances sit at the network perimeter and terminate VPN sessions, a compromised gateway provides an attacker with privileged visibility into encrypted traffic, user credentials, and internal network routing.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 24-01 on January 19, 2024, ordering all federal civilian executive branch agencies to immediately apply mitigations or take affected devices offline.

Scope of Exposure

At the time of initial disclosure, Shodan and Censys scans identified over 15,000 Ivanti Connect Secure appliances exposed directly to the internet. Sectors confirmed as targeted include defense, government, telecommunications, financial services, and managed security providers.

Ivanti's own integrity checker tool (ICT) was initially found to be insufficient for detecting all implant variants. CISA warned that a clean ICT result does not guarantee a device is uncompromised — attackers modified appliance components in ways the tool did not flag.

Real-World Impact

Compromise of a VPN gateway at this layer produces several high-impact outcomes:

  1. Session hijacking: Attackers capture authenticated VPN sessions and reuse them to impersonate legitimate users on internal networks — without triggering credential-based alerts.
  2. Credential harvesting at scale: All credentials transiting the gateway are accessible to a process running with root-level privileges on the appliance.
  3. Persistent access via implants: Web shells and passive backdoors survive reboots and standard remediation attempts that do not include a full factory reset.
  4. Supply chain risk: Managed service providers running ICS on behalf of clients risk exposing multiple downstream customer environments from a single appliance compromise.

UNC5221 specifically targeted appliances belonging to organizations with high intelligence value, consistent with long-term espionage objectives rather than ransomware deployment.

Patching and Mitigation

Patch availability: Ivanti released patches in staggered batches beginning February 1, 2024. Organizations should verify they are running the patched versions documented in Ivanti's KB article CVE-2023-46805 / CVE-2024-21887.

Immediate actions:

  1. Apply patches now. Run the official Ivanti patch for your specific version. Do not rely on workarounds as a permanent fix.
  2. Run the enhanced Ivanti ICT released after January 2024, and treat any anomalies as confirmed compromise indicators — not inconclusive results.
  3. Assume breach if exposed during the December 2023 – January 2024 window. Conduct full forensic review of the appliance, active directory, and any systems accessible via VPN.
  4. Factory reset before patch application if compromise is suspected or confirmed. Ivanti explicitly recommends this step to eliminate persistent implants.
  5. Rotate all credentials that traversed the affected gateway, including service accounts, domain credentials, and API tokens.
  6. Review VPN session logs for anomalous source IPs, unusual authentication times, or access to atypical internal resources.
  7. Segment gateway management interfaces from production networks and restrict administrative access to dedicated jump hosts with MFA enforced.
  8. Monitor for LIGHTWIRE and WIREFIRE IOCs published by Volexity and Mandiant, including specific file hashes, URI patterns, and C2 infrastructure addresses.

Organizations running Ivanti Policy Secure should apply the same remediation steps — that product shares the vulnerable web component.

CISA's advisory AA24-060B contains the most current consolidated list of indicators of compromise, detection signatures, and forensic artifacts associated with this exploitation campaign.

Related: