Inside the Ivanti Connect Secure Zero-Day Chain Attackers Used Before a Patch Existed
CVE-2023-46805 and CVE-2024-21887, chained together, gave a suspected nation-state actor unauthenticated remote code execution on Ivanti Connect Secure and Policy Secure VPN gateways for weeks before patches.
Two vulnerabilities, neither individually catastrophic on paper, became one of the more consequential edge-device exploitation chains of early 2024 when attackers combined them against Ivanti’s VPN gateway products.
The two flaws
CVE-2023-46805 is an authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Policy Secure. On its own, it lets an unauthenticated attacker reach restricted application resources — serious, but limited.
CVE-2024-21887 is a command-injection vulnerability in the same product line. On its own, exploiting it requires administrative authentication — a meaningful barrier.
Chained together, the barrier disappears. An attacker uses the authentication bypass to reach the administrative functionality, then uses the command-injection flaw — now reachable without ever logging in — to execute arbitrary commands on the appliance. The combination yields full unauthenticated remote code execution.
Who exploited it, and when
Ivanti and Mandiant disclosed both vulnerabilities on January 10, 2024, but Mandiant’s investigation found exploitation had begun well before that date, attributing early activity to a suspected China-nexus espionage actor tracked as UNC5221. The actor deployed custom web shells and credential-harvesting tooling, and in some cases attempted to actively evade Ivanti’s own internal integrity checker — the tool customers were told to use to check for compromise.
CISA’s emergency directive
The combination of severity, confirmed nation-state exploitation, and the position of VPN gateways directly on the network perimeter prompted CISA to issue an emergency directive requiring federal civilian agencies to disconnect affected Ivanti Connect Secure and Policy Secure appliances from their networks — not just patch them — pending mitigation. Both CVEs were added to the KEV catalog simultaneously.
The broader pattern
Ivanti’s edge appliances were the subject of multiple additional vulnerability disclosures throughout 2024, reinforcing a broader trend: VPN gateways, firewalls, and other perimeter devices — designed to be internet-facing by definition — have become a preferred initial-access vector precisely because they sit outside the protections (EDR, internal monitoring) that organizations apply to standard endpoints.
Full chain analysis, affected versions, and Ivanti’s remediation timeline are published in Ivanti’s security advisory and the linked NVD records for both CVEs.
This article describes the vulnerability chain and its real-world impact only — it does not include exploit code or step-by-step attack instructions.
Found this useful? Share it.