Open Nav
Sign Up

Mass Exploitation of SSRF Flaw in Ivanti VPN Products (CVE-2024-21893)

Bar Refael

February 7, 2024

A server-side request forgery (SSRF) vulnerability in Ivanti’s VPN products, including Connect Secure, Policy Secure, and Neurons for ZTA, has been subjected to widespread exploitation. This critical flaw, identified as CVE-2024-21893 (also known as CVE-2023-36661), has prompted significant attention from the cybersecurity community due to its severe implications and the rapid escalation of attacks following the public disclosure and release of a proof-of-concept (PoC) exploit.

Vulnerability Details

  • CVE ID: CVE-2024-21893 (alias CVE-2023-36661)
  • CVSS Score: 8.2
  • Affected Components: SAML component of Ivanti VPN products
  • Impact: Allows attackers to access restricted resources without authentication, leading to information disclosure and potential unauthorized actions within the affected system.

The SSRF vulnerability is linked to the open-source Shibboleth XMLTooling library, which was addressed in June 2023 with version 3.2.4. Despite the fix, Ivanti’s products remained vulnerable due to the inclusion of the flawed library.

Attack Scenario and Exploitation

Attackers are exploiting this vulnerability to establish reverse shells among other malicious activities, using an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a command injection flaw previously patched. This combination facilitates unauthenticated remote code execution, significantly raising the threat level.

The Shadowserver Foundation reported attacks originating from over 170 unique IP addresses, highlighting the mass exploitation of this vulnerability. Furthermore, outdated components within Ivanti VPN appliances, as identified by security researcher Will Dormann, could expose additional vulnerabilities, increasing the risk of compromise.

Response and Mitigation

Following the increase in attack activities, Ivanti has released official patches to address CVE-2024-21893 and associated vulnerabilities. The company had earlier provided mitigation files, but with attackers bypassing initial fixes, a more comprehensive patching strategy was required.

Threat Landscape and Impact

The exploitation of Ivanti VPN products has been linked to the deployment of custom web shells, such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, by various threat actors. This situation underscores the attractiveness of such vulnerabilities to cybercriminals aiming to infiltrate corporate networks.

A significant number of Ivanti Connect Secure and Policy Secure instances have been found exposed worldwide, with a considerable portion confirmed as compromised. This widespread exposure and subsequent exploitation prompted cybersecurity entities across the European Union to issue heightened advisories. These advisories urge organizations to apply the provided patches and adhere to Ivanti’s guidance to mitigate risks effectively.

The mass exploitation of the SSRF vulnerability in Ivanti VPN products serves as a stark reminder of the critical importance of timely vulnerability management and the potential consequences of delayed patching. Organizations using affected Ivanti products must prioritize the application of available patches and review their security posture to prevent potential breaches. The incident highlights the continuous need for vigilance and proactive measures in the face of evolving cyber threats.

Stay safe and informed,

OP Innovate.

Resources highlights

CVE-2026-46817: Critical Oracle E-Business Suite Vulnerability

A critical vulnerability in Oracle E-Business Suite is now being actively exploited in the wild. Tracked as CVE-2026-46817, the flaw affects the File Transmission component…

Read more >

cve-2026-46817-oracle-e-business

Cisco Unified CM Vulnerability CVE-2026-20230 Targeted After Public PoC Disclosure 

Cisco has disclosed and patched CVE-2026-20230, a critical SSRF vulnerability affecting Cisco Unified Communications Manager and Unified CM SME when the WebDialer service is enabled.…

Read more >

CVE-2026-20230

Microsoft Confirms Unpatched RoguePlanet Defender Zero-Day (CVE-2026-50656)

Microsoft has confirmed a new Microsoft Defender zero-day vulnerability tracked as CVE-2026-50656 and publicly referred to as RoguePlanet. The flaw affects the Microsoft Malware Protection…

Read more >

RoguePlanet_cve-2026-50656

FortiBleed Campaign Exposes Fortinet Firewall and VPN Credentials at Scale

A large-scale credential abuse campaign dubbed FortiBleed has reportedly affected tens of thousands of Fortinet firewall and VPN devices worldwide. Public reporting indicates that threat…

Read more >

fortibleed

Fortinet FortiSandbox Under Active Attack (CVE-2026-39813 & Others)

Threat actors are actively exploiting multiple critical vulnerabilities affecting Fortinet FortiSandbox. The reported activity involves three unauthenticated vulnerabilities: CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. These flaws are…

Read more >

cve-2026-39813

Critical Wazuh Manager Vulnerability Enables Alert Tampering and Security Evidence Deletion

A critical vulnerability has been disclosed in Wazuh Manager that could allow attackers to tamper with security data, delete alerts, and manipulate forensic evidence stored…

Read more >

wazuh manager vulnerability
Under Cyber Attack?

Fill out the form and we will contact you immediately.