CVE-2024-21887

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html	Exploit Third Party Advisory VDB Entry
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US	Vendor Advisory
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html	Exploit Third Party Advisory VDB Entry
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US	Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ivanti:connect_secure:9.0:::::::*
	cpe:2.3:a:ivanti:connect_secure:9.1:r1::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r10::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r11::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r11.3::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r11.4::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r11.5::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r12::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r12.1::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r13::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r13.1::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r14::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r15::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r15.2::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r16::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r16.1::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r17::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r17.1::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r18::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r2::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r3::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r4::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r4.1::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r4.2::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r4.3::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r5::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r6::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r7::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r8::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r8.1::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r8.2::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r9::::::
	cpe:2.3:a:ivanti:connect_secure:9.1:r9.1::::::
	cpe:2.3:a:ivanti:connect_secure:22.1:r1::::::
	cpe:2.3:a:ivanti:connect_secure:22.1:r6::::::
	cpe:2.3:a:ivanti:connect_secure:22.2:-::::::
	cpe:2.3:a:ivanti:connect_secure:22.2:r1::::::
	cpe:2.3:a:ivanti:connect_secure:22.3:r1::::::
	cpe:2.3:a:ivanti:connect_secure:22.4:r1::::::
	cpe:2.3:a:ivanti:connect_secure:22.4:r2.1::::::
	cpe:2.3:a:ivanti:connect_secure:22.5:r2.1::::::
	cpe:2.3:a:ivanti:connect_secure:22.6:-::::::
	cpe:2.3:a:ivanti:connect_secure:22.6:r1::::::
	cpe:2.3:a:ivanti:connect_secure:22.6:r2::::::
	cpe:2.3:a:ivanti:policy_secure:9.0:::::::*
	cpe:2.3:a:ivanti:policy_secure:9.1:r1::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r10::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r11::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r12::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r13::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r13.1::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r14::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r15::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r16::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r17::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r18::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r2::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r3::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r3.1::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r4::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r4.1::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r4.2::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r5::::::
	cpe:2.3:a:ivanti:policy_secure:9.1:r6::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r7::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8.2::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r9::::::
cpe:2.3:a:ivanti:policy_secure:22.1:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.1:r6::::::
cpe:2.3:a:ivanti:policy_secure:22.2:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.2:r3::::::
cpe:2.3:a:ivanti:policy_secure:22.3:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.3:r3::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r2::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r2.1::::::
cpe:2.3:a:ivanti:policy_secure:22.5:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.5:r2.1::::::
cpe:2.3:a:ivanti:policy_secure:22.6:r1::::::

History

21 Oct 2025, 23:16

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887 -

21 Oct 2025, 20:19

Type	Values Removed	Values Added
References	~~{'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}~~

21 Oct 2025, 19:20

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887 -

Information

Published : 2024-01-12 17:15

Updated : 2025-10-21 23:16

NVD link : CVE-2024-21887

Mitre link : CVE-2024-21887

CVE.ORG link : CVE-2024-21887

JSON object : View

Products Affected

ivanti

policy_secure
connect_secure

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

9.1 /10