Ivanti Connect Secure / Policy Secure Authentication Bypass
An authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Policy Secure gateways allows a remote attacker to access restricted resources without credentials. Chained with CVE-2024-21887 for full remote code execution in real-world attacks.
- Vendor
- Ivanti
- Product
- Connect Secure and Policy Secure
- CVSS
- 8.2
- Status
- kev
- Published
CVE-2023-46805 is an authentication-bypass vulnerability affecting the web component of Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure gateways. By itself it lets an unauthenticated attacker reach restricted endpoints that should require a valid session.
Ivanti and Mandiant disclosed in January 2024 that this flaw was being actively chained with a separate command-injection vulnerability, CVE-2024-21887, to achieve unauthenticated remote code execution on internet-facing VPN appliances — exploited in the wild as zero-days by a suspected nation-state actor before patches were available.
Why it mattered
Edge VPN appliances sit directly on the network perimeter with broad internal access by design, making them high-value targets. CISA issued an emergency directive requiring federal agencies to disconnect or mitigate affected Ivanti devices, and both CVEs were added to the KEV catalog with compressed remediation deadlines.
Mitigation guidance, patch availability, and the full advisory are linked above via NVD; Ivanti’s own security advisory carries the canonical remediation timeline.
