CVE-2023-46805 and CVE-2024-21887 Explained: Ivanti Connect Secure Zero-Day Chain
Two zero-day vulnerabilities in Ivanti Connect Secure — an authentication bypass chained with a command injection — enabled unauthenticated remote code execution on a VPN platform protecting thousands of enterprise and government networks. CISA issued an emergency directive ordering federal agencies to disconnect within 48 hours.
CVE-2023-46805 and CVE-2024-21887 are two zero-day vulnerabilities in Ivanti Connect Secure — the VPN gateway platform formerly known as Pulse Connect Secure — that when chained produce unauthenticated remote code execution on the appliance. Ivanti Connect Secure is deployed by thousands of enterprises and government agencies as their primary remote access VPN gateway, making its compromise equivalent to defeating the perimeter for everything behind it.
Volexity first observed active exploitation on December 3, 2023. Ivanti published an advisory on January 10, 2024 — 38 days after exploitation began — with mitigations and an Integrity Checker Tool, but no patch. Patches for most versions did not arrive until late January and February 2024. CISA issued Emergency Directive 24-01 on January 19, 2024, ordering all federal agencies to disconnect or mitigate within 48 hours. By the time patches were available, over 2,100 devices worldwide had been compromised.
How the Two CVEs Chain to Produce Unauthenticated RCE
Ivanti Connect Secure exposes a web interface for VPN authentication and a separate administrative interface. The authentication bypass (CVE-2023-46805) exploits a flaw in the path-based routing logic for REST API endpoints. Certain API paths that should require authentication are reachable by manipulating the URL to bypass the authentication middleware — similar in concept to ConnectWise ScreenConnect's trailing slash bypass.
With the authentication check bypassed, the attacker has access to administrative API endpoints. CVE-2024-21887 is a command injection vulnerability in one of these endpoints — specifically the web component that handles configuration parameters. By supplying OS command metacharacters in a parameter that is passed unsanitised to a shell command, the attacker executes arbitrary OS commands as the root user on the appliance.
The exploit chain is: (1) bypass authentication via CVE-2023-46805, (2) call the vulnerable administrative endpoint with a command injection payload via CVE-2024-21887, (3) achieve root RCE. The entire chain is executable from the internet-facing side of the appliance with no credentials.
Identify internet-exposed Ivanti Connect Secure gateways
Ivanti Connect Secure gateways are identifiable by their SSL VPN login page and certificate. Shodan indexed tens of thousands of exposed instances. Attacker scanning tools focused on gateways running version ranges known to be vulnerable.
Bypass authentication via CVE-2023-46805
Send a crafted HTTP request to a REST API endpoint with a URL path that bypasses the authentication middleware. The appliance processes the request as authenticated without verifying credentials.
Execute OS commands via CVE-2024-21887
Call the vulnerable administrative API endpoint (accessible via the bypassed authentication) with a parameter containing OS command injection metacharacters. The command executes as root on the VPN appliance.
Deploy persistent malware families
UNC5221 deployed LIGHTWIRE (web shell written in Perl embedded in legitimate CGI scripts), ZIPLINE (passive backdoor intercepting network traffic), WARPWIRE (JavaScript credential harvester in the login page), and THINSPOOL (dropper for writing additional payloads to persistent storage).
Harvest credentials and pivot to internal network
WARPWIRE collected VPN credentials from users authenticating to the gateway. ZIPLINE enabled passive C2 communications. The compromised gateway's internal routing access enabled lateral movement to internal network segments accessible via VPN.
UNC5221 Malware Families and Tradecraft
UNC5221 demonstrated sophisticated tradecraft specifically designed for VPN appliance persistence. Unlike endpoint-targeted malware, the tools were built for network appliances with embedded operating systems and limited monitoring:
LIGHTWIRE: A web shell written in Perl, embedded directly inside a legitimate Ivanti CGI script (compcheckresult.cgi). It passes through output of the legitimate script while also processing attacker commands — making it difficult to distinguish from normal traffic.
ZIPLINE: A passive backdoor that intercepts network traffic at a low level. It communicates via a custom protocol multiplexed over legitimate HTTPS traffic, making it nearly invisible to network monitoring tools.
WARPWIRE: JavaScript injected into the Ivanti login page that harvests plaintext VPN credentials at the point of entry and exfiltrates them to a remote server. Users logging in normally were unknowingly handing credentials to the attacker.
THINSPOOL: A dropper that writes payloads to the appliance's persistent storage partition, surviving both service restarts and standard upgrade processes — which is why factory reset was required for complete remediation.
“UNC5221 modified legitimate Ivanti files and deployed new files to the appliances to establish persistence, harvest credentials, and gain backdoor access. The group demonstrated familiarity with Ivanti's appliance architecture.”
— Mandiant, January 2024
Patching and Fully Remediating CVE-2023-46805 and CVE-2024-21887
Ivanti released patches on a rolling schedule through January and February 2024. For any device that ran vulnerable firmware in an internet-accessible state, patching alone is insufficient — the factory reset process is mandatory.
Factory reset to known-good state before patching
Ivanti and CISA confirmed that attacker-installed backdoors (particularly THINSPOOL and ZIPLINE) survive standard upgrade processes. Before applying the patch, perform a full factory reset of the appliance to a clean base image. This is the only reliable way to evict persistence mechanisms that write to the persistent storage partition.
Apply the patched firmware version for your product version
After factory reset, apply the current patched firmware. Check Ivanti's Security Advisory SA-2024-0135 for version-specific patch information. Verify the running version matches the patched release before reconnecting to the network.
Run Ivanti's Integrity Checker Tool (ICT) — and understand its limitations
Ivanti published an ICT to detect known compromise indicators. However, CISA subsequently confirmed that the ICT does not detect all persistence mechanisms — particularly those targeting the appliance's unmonitored storage partitions. A clean ICT result is not a guarantee of no compromise. Factory reset is the definitive remediation.
Rotate all VPN credentials and certificates
WARPWIRE harvested VPN credentials from users authenticating during the compromise window. Require all VPN users to change passwords. Revoke and reissue all SSL certificates on the appliance. Reset all accounts with administrative access to Ivanti Connect Secure. Invalidate all active VPN sessions.
Review internal network for lateral movement from VPN segment
The compromised VPN gateway had routing access to all internal network segments reachable via VPN. Conduct threat hunting on internal systems accessible from the VPN segment, looking for indicators consistent with UNC5221 tooling and lateral movement originating from the VPN gateway's IP address.
The bottom line
The Ivanti Connect Secure zero-day chain illustrates a recurring pattern: VPN appliances are high-value targets because they sit at the perimeter, process authenticated user traffic, and have routing access to internal networks. Compromising the VPN gateway is compromising the perimeter.
UNC5221's toolkit — particularly WARPWIRE's credential harvesting from the login page itself — demonstrates that even users who are not directly exploited become victims. Everyone who authenticated to a compromised Ivanti gateway during the exploitation window had their credentials stolen, regardless of whether their own device was touched.
For organisations still running legacy Pulse Secure hardware rebranded as Ivanti, this vulnerability series is a strong signal to evaluate migration to alternative VPN solutions. Ivanti has disclosed multiple high-severity VPN vulnerabilities across 2023 and 2024, and the appliance architecture has shown repeated susceptibility to persistent compromise.
Frequently asked questions
What are CVE-2023-46805 and CVE-2024-21887?
CVE-2023-46805 is an authentication bypass (CVSS 8.2) in Ivanti Connect Secure and Policy Secure VPN gateways. CVE-2024-21887 is a command injection (CVSS 9.1) in the same products that requires authentication to exploit alone. When chained together, an unauthenticated attacker can bypass authentication via CVE-2023-46805 and then execute arbitrary OS commands via CVE-2024-21887, achieving full remote code execution on the VPN appliance.
Which Ivanti products are affected?
Ivanti Connect Secure (all supported versions as of January 2024) and Ivanti Policy Secure (all supported versions) are affected by both CVEs. Ivanti's ZTA gateways are also impacted by CVE-2023-46805. Cloud Services Application (Ivanti CSA) is not affected by this specific chain.
Were CVE-2023-46805 and CVE-2024-21887 exploited as zero-days?
Yes. Volexity detected active exploitation beginning December 3, 2023 — more than five weeks before Ivanti issued an advisory on January 10, 2024. Mandiant confirmed a second threat actor cluster was also exploiting the vulnerabilities independently. At least 2,100 devices globally were compromised before any patch was available.
Who exploited CVE-2023-46805 and CVE-2024-21887?
Mandiant attributed the primary exploitation to UNC5221, a suspected Chinese state-sponsored threat actor. UNC5221 deployed five distinct malware families on compromised Ivanti devices, including LIGHTWIRE (web shell), ZIPLINE (passive backdoor), WARPWIRE (credential harvester), and THINSPOOL (dropper). A second unattributed cluster was also observed exploiting the same vulnerabilities.
What did CISA Emergency Directive 24-01 require?
CISA ED 24-01 required all Federal Civilian Executive Branch agencies to immediately implement Ivanti's published mitigation or disconnect affected Ivanti Connect Secure and Policy Secure products from agency networks by January 22, 2024 — 12 days after the advisory. Agencies were also required to hunt for threat actor activity and report their status to CISA.
Why was a factory reset required and not just patching?
The malware families deployed by UNC5221 — particularly ZIPLINE and THINSPOOL — survived standard upgrade processes. Ivanti and CISA confirmed that simply applying patches to a compromised device was insufficient because attacker-installed backdoors persisted through upgrades. The recommended remediation required a factory reset to known-good state, followed by patch application, credential rotation, and certificate reissuance.
Sources & references
- NVD — CVE-2023-46805
- NVD — CVE-2024-21887
- Volexity — Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
- Mandiant — Suspected APT Actor Exploits Ivanti Connect Secure Vulnerabilities
- CISA Emergency Directive 24-01
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.