Ivanti Connect Secure / Policy Secure Command Injection
A command-injection vulnerability in the web components of Ivanti Connect Secure and Policy Secure lets an authenticated administrator send specially crafted requests to execute arbitrary commands. Chained with CVE-2023-46805's auth bypass for unauthenticated RCE in the wild.
- Vendor
- Ivanti
- Product
- Connect Secure and Policy Secure
- CVSS
- 9.1
- Status
- kev
- Published
CVE-2024-21887 is a command-injection vulnerability in Ivanti Connect Secure and Policy Secure that, on its own, requires administrative authentication to exploit. Its real-world danger comes from being chained with CVE-2023-46805 — an authentication-bypass flaw in the same product line — which removes the authentication requirement entirely.
The chain gives a remote, unauthenticated attacker arbitrary command execution on the appliance. Mandiant attributed early exploitation to a suspected China-nexus espionage actor it tracks as UNC5221, observed deploying custom web shells and credential-harvesting tooling against Ivanti gateways before a patch was public.
Why it mattered
This pairing is a textbook example of a “vulnerability chain” — two flaws that are individually serious but together are catastrophic, turning a managed VPN gateway into a fully remote-exploitable foothold. Both CVEs were added to the CISA KEV catalog simultaneously, and CISA’s emergency directive required disconnecting affected appliances from federal networks pending mitigation.
See the NVD record above and Ivanti’s security advisory for the full chain analysis and patched versions.
