Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure gateways have a command injection [CVE-2023-46805] and authentication bypass [CVE-2024-21887] vulnerability that impact versions 9.x and 22.x.
Shodan indicates that there are more than 17,500 Pulse Connect instances worldwide at this time.
See the resource center.
- The command injection vulnerability [CVE-2023-46805] has a CVSS of 8.2 (material).
- The authentication bypass vulnerability [CVE-2024-21887] has a CVSS of 9.1 (severe).
As high as these vulnerabilities are independently scored, an even higher CVSS is likely warranted when these vulnerabilities are used together. Using them together allows for a threat actor to execute arbitrary commands without authentication. Since these devices are likely a significant entrypoint into an organization, the ability to execute arbitrary commands is a serious threat, which may lead to further pivoting deeper into the network, and can result in a wider breach of sensitive data.
We are currently researching to support you in-product and incorporate vulnerability detection capabilities. We do not have an ETA as these vulnerabilities take time to address, but we will inform you as soon as it's in-product and available.