CVE-2024-21887

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-21887
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US Vendor Advisory
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887 US Government Resource
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r11.4:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r12.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r13:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r13.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r14:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r15:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r15.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r16:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r16.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r17:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r17.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r18:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r8.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r8.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r9.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.1:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.1:r6:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.2:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.2:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.3:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.4:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.4:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.5:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.6:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.6:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.6:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r10:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r11:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r12:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r13:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r13.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r14:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r15:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r16:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r17:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r18:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r3.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r4:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r4.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r4.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r5:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r6:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r7:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r8:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r8.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r8.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r9:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.1:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.1:r6:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.2:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.2:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.3:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.3:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.4:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.4:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.4:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.5:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.5:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.6:r1:*:*:*:*:*:*
History

31 Oct 2025, 21:56

Type Values Removed Values Added
References () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887 - () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887 - US Government Resource

21 Oct 2025, 23:16

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887 -

21 Oct 2025, 20:19

Type Values Removed Values Added
References
  • {'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}

21 Oct 2025, 19:20

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887 -

21 Nov 2024, 08:55

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References () https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - Vendor Advisory () https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - Vendor Advisory

10 Jun 2024, 16:21

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html - () http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry

22 Jan 2024, 17:15

Type Values Removed Values Added
References
  • () http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html -

12 Jan 2024, 20:46

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1
References () https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - () https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - Vendor Advisory
First Time Ivanti connect Secure
Ivanti
Ivanti policy Secure
CWE CWE-77
CPE cpe:2.3:a:ivanti:connect_secure:9.1:r15:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r5:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r18:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r9.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r4:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.3:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r3.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r16:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.4:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r11.4:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r15:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r17.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.4:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.5:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.6:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r12:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.4:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r8.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r14:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r4.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r6:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.2:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.1:r6:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.1:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.2:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r12.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r8.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.5:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r15.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r13.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r8:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.6:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r16.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.4:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r13.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r4.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.2:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r13:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.2:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r8.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.3:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.1:r6:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r17:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.0:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.3:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.5:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r18:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.1:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r11:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r10:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.4:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.6:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r9:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r8.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r17:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r16:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r13:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r14:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.6:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:9.1:r7:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*

12 Jan 2024, 18:05

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-12 17:15

Updated : 2025-10-31 21:56

NVD link : CVE-2024-21887

Mitre link : CVE-2024-21887

CVE.ORG link : CVE-2024-21887

JSON object : View

Products Affected

ivanti

  • connect_secure
  • policy_secure
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')