Cybersecurity researchers have uncovered a sophisticated exploitation campaign targeting critical vulnerabilities in Ivanti Connect Secure and Policy Secure appliances, with active exploitation observed as early as December 2023 and intensifying through January 2024. The dual-vulnerability chain, tracked as CVE-2023-46805 and CVE-2024-21887, allows unauthenticated attackers to achieve remote code execution on vulnerable systems, putting thousands of enterprise networks at risk.
The Exploit Mechanics
The attack chain combines two distinct vulnerabilities to devastating effect. CVE-2023-46805, rated CVSS 8.2, is an authentication bypass vulnerability in the web component of Ivanti Connect Secure. This flaw allows an attacker to bypass authentication controls and access restricted resources without valid credentials. CVE-2024-21887, rated CVSS 9.1, is a command injection vulnerability in the same system that enables authenticated attackers to execute arbitrary commands on the underlying operating system.
When chained together, these vulnerabilities create a pathway for unauthenticated remote code execution. An attacker first exploits CVE-2023-46805 to bypass authentication, then leverages the elevated access to trigger CVE-2024-21887 and inject commands. Darktrace’s Security Operations Center observed exploit validation activity using out-of-band testing services like Interactsh and Burp Collaborator, where compromised appliances made GET requests with cURL User-Agent headers to subdomains of domains like oast.live and oast.site.
Affected Systems
The scale of this exploitation is significant. According to research from Censys, approximately 1.5% of 26,000 internet-exposed Ivanti Connect Secure appliances had been compromised by January 22, 2024, with the majority of compromised hosts located within the United States. Both Volexity and Mandiant reported clusters of compromises tracked as UTA0178 and UNC5221 respectively, with evidence pointing to espionage-motivated state-linked actors.
Beyond state-sponsored activity, GreyNoise and Volexity documented cybercriminal operations targeting the same vulnerabilities to deploy cryptocurrency miners. The post-exploitation activities observed by Darktrace included exfiltration of system information, delivery of command-and-control implants hosted on AWS infrastructure, deployment of JavaScript credential stealers, and encrypted C2 communications over port 53. In earlier cases observed starting December 21, 2023, beaconing to IP addresses associated with suspicious hostnames was detected weeks before public disclosure.
The Mitigation Strategy
Ivanti published a Security Advisory on January 10, 2024, addressing both vulnerabilities. Organizations running affected versions should immediately apply the available patches. For systems where patching is not immediately feasible, network segmentation and restricting external access to Connect Secure appliances should be implemented as interim measures.
Security teams should conduct thorough log analysis looking for indicators of compromise, including SSL beaconing to rare external IP addresses, unexpected cURL requests from appliance systems, and connections to known OAST service domains. Organizations should also check for the presence of web shells on affected appliances, as both Volexity and Mandiant reported these as common post-exploitation artifacts.
Lessons Learned
This incident underscores the persistent threat posed by zero-day vulnerabilities in internet-facing infrastructure. The fact that exploitation began weeks before public disclosure highlights the reality of unknown unknowns in cybersecurity — organizations cannot defend against threats they do not know exist. The Ivanti case demonstrates why defense-in-depth strategies and behavioral anomaly detection are essential complements to signature-based security tools.
The dual nature of the threat — with both state-linked espionage actors and cybercriminal groups exploiting the same vulnerabilities simultaneously — illustrates how quickly critical flaws become commoditized attack vectors. With Bitcoin trading at approximately $41,800 and the broader crypto market capitalization exceeding $1.6 trillion at the time of these attacks, the financial incentives for cryptomining-focused cybercriminals remain substantial.
User Action Required
Organizations using Ivanti Connect Secure or Policy Secure appliances should take immediate action: check the Ivanti security advisory for patch availability, conduct a thorough review of appliance logs for indicators of compromise, implement network monitoring for anomalous outbound connections, and consider deploying behavioral analytics tools that can detect post-exploitation activity even when specific indicators are not yet known. The window between vulnerability discovery and widespread exploitation continues to shrink, making proactive security measures increasingly critical.
Disclaimer: This article is for informational purposes only and does not constitute professional cybersecurity advice. Always consult with qualified security professionals for incident response and vulnerability management.
CVE-2023-46805 plus CVE-2024-21887 is a textbook chain. auth bypass into RCE, game over. Ivanti had no business running custom OS on perimeter devices without proper audit cycles
custom OS on perimeter devices with no proper audit cycle is basically 1990s security practice. 2024 and enterprises are still running this setup
custom OS on network perimeter devices in 2024 is negligence. every major vendor does it and they all get popped the same way. salt-based config validation should be mandatory
auth bypass into RCE is the oldest chain in the book and Ivanti still shipped it. enterprise security vendors are somehow held to lower standards than consumer apps
Active since December 2023 and they only disclosed in January? That window where enterprises were unknowingly exposed is the real damage here
that undisclosed window was probably weeks if not months. enterprise VPN appliances dont exactly get patched on a friday afternoon
thousands of appliances exposed and most enterprises dont even know what firmware version theyre running. asset inventory is the real problem here