Ivanti Connect Secure < 22.7R2.4 — RCE

Command injection in Ivanti Connect Secure combined with an authentication bypass (CVE-2023-46805) enables unauthenticated RCE. Apply the vendor patch — mass exploitation by multiple nation-state actors since January 2024.

Published Jan 10, 2024 · Updated May 15, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

Unauthenticated root code execution on the VPN gateway. Attackers have used this to deploy persistent web shells that survive factory resets, harvest VPN credentials of all users, and establish persistent footholds in enterprise networks. The persistence mechanism deployed by UNC5221 survived Ivanti's initial recommended mitigation steps.

How the attack worksNo clicks needed

CVE-2023-46805 is an authentication bypass in the web component of Ivanti Connect Secure. CVE-2024-21887 is a command injection vulnerability accessible to authenticated administrators. Chaining both, an unauthenticated attacker can inject OS commands with the privileges of the root user on the Ivanti appliance.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Network Security Team

●VPN Administrators

●IT Security

●Running Ivanti Connect Secure 9.x and 22.x, Ivanti Policy Secure 9.x and 22.x — all versions prior to the February 2024 patch

Fixed inIvanti Connect Secure 22.7R2.4 (February 2024 patch)

Real-world incidentsWhat we've seen

Mandiant identified exploitation of these vulnerabilities by at least five nation-state actor clusters (including UNC5221, believed to be China-linked) against global targets. The US CISA ordered all federal agencies to immediately disconnect Ivanti Connect Secure and Policy Secure products in January 2024 — an unprecedented directive. Thousands of organisations across defence, finance, and healthcare were compromised.

How to patch

Manual remediation steps

⏱ 4 hours including factory reset, patching, and credential rotation

Check Ivanti Version

From the web admin UI:

Navigate to System > System Information

Note the build number

Run Ivanti Integrity Checker

# From the Ivanti appliance CLI (SSH):
python3 /home/user/integrity-checker/pulse-check.py
# Or download the latest checker from Ivanti support portal

Immediate Mitigation

Import the Ivanti mitigation.xml file (provided by Ivanti) via the admin web UI

Perform a factory reset BEFORE applying the patch (Ivanti recommends this to remove any persistent malware)

Reset all credentials stored in or flowing through the device

Apply the Patch

Download the patch from Ivanti's download portal (support.ivanti.com)

Import via the admin UI: Maintenance > Software Update > Client Package

Restart the appliance

Post-Patch Actions

# Reset all VPN user passwords
# Revoke and reissue all certificates
# Review admin accounts for unauthorised additions
# Check for web shells in /data/runtime/tmp/tt/

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-21887 ↗ NVD