The NCSC would like to draw your attention to two zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887 affecting Ivanti Connect Secure. The NCSC is aware of public reporting of active exploitation in the wild from early December 2023.
Chaining these two vulnerabilities can lead to unauthenticated arbitrary command execution on the affected appliance. These vulnerabilities affect all supported versions of Ivanti Connect Secure (9.x and 22.x).
- CVE-2023-46805 (CVSS 8.2) is an authentication bypass vulnerability, allowing a remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887 (CVSS 9.1) is a command injection vulnerability, allowing an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
The NCSC encourages organisations in New Zealand that use the affected product to review the vendor advisory(external link) and apply the mitigations as soon as possible. Organisations should continue to monitor the advisory and patch immediately once they become available.
If your organisation sees any evidence of compromise related to CVE-2023-46805 and CVE-2024-21887, please contact ncscincidents@ncsc.govt.nz.
For more NCSC NZ updates, follow us on LinkedIn.(external link)