• Language chooser
    • USA (English)
    • France (Français)

Ivanti Connect Secure and Policy Secure Attack

Released: Jan 23, 2024

Updated: Feb 29, 2024

Critical Severity

Vulnerability, Attack Type

Zero-day vulnerabilities actively exploited

Widespread exploitation of zero-day vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways underway. Learn More »


CVE-2023-46805 Is an Authentication ByPass Vulnerability found in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure to allow a remote attacker to access restricted resources by bypassing control checks. CVE-2024-21887 is a command injection vulnerability in web components of ICS and Ivanti Policy Secure. If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.

Jan 10, 2024: Ivanti disclosed two new vulnerabilities in their ICS and Ivanti Policy Secure gateways: CVE-2023-46805 and CVE-2024-21887.

Jan 18, 2024: FortiGuard Labs released a Threat Signal on Ivanti Connect Secure and Policy Secure Gateways Zero-day Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)

Jan 19, 2024: CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits. This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation

Jan 22, 2024: FortiGuard Labs has released IPS signatures to detect and block Authentication Bypass (CVE-2023-46805) and Server-Side Request Forgery Vulnerability (CVE-2024-21893) is observing high IPS activity since the release of the signatures.

Jan 22, 2024: Ivanti plans to begin releasing patches addressing these vulnerabilities on a schedule. Until patches are available, Ivanti has provided a workaround for the users to mitigate exploitation risks

Feb 01, 2024: Ivanti identified additional vulnerabilities in ICS and Ivanti Policy Secure, and Ivanti Neurons for ZTA. CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. Vendor mentions in the advisory that CVE-2024-21893 appears to be seen in some targeted attacks and expects an increase in the attacks. CVE-2024-21893 has also been added to CISA's known exploited vulnerability catalog (KEV).

Feb 9, 2024: Ivanti disclosed a fifth vulnerability- CVE-2024-22024 (XXE) for ICS and Ivanti Policy Secure.

Feb 13, 2024: A new report by Orange Cyberdefense shows attackers using CVE-2024-21893 to install a new backdoor named DSLog.

Please note, this is an ongoing investigation and as the situation is evolving, FortiGuard Labs will update and add new protections accordingly.

Feb 29, 2024: CISA released a Cybersecurity Advisory on Threat Actors Exploiting Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.

  • Lure

  • Decoy VM

  • AV

  • AV (Pre-filter)

  • IPS

  • Web App Security

  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Playbook

  • Assisted Response Services

  • Automated Response

  • NOC/SOC Training

  • End-User Training

  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.

Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
oast.me domain Active ip Active
interact.sh domain Active
dnslog.cn domain Active
1433.eu.org domain Active
fernandestechnical.com domain Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active
d3fbae7eb3d38159913c7e9f4c627149df1882b57998c8a... file Active
dev-clientservice.com domain Active ip Active ip Active
oast.live domain Active
oast.online domain Active
oast.fun domain Active
oast.pro domain Active
oast.site domain Active ip Active ip Active ip Active
https://biondocenere.com/pub/crl.dat url Active
23190d722ba3fe97d859bd9b086ff33a14ae9aecfc8a2c3... file Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active url Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active
49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4... file Active
f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846... file Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active
bc7c7280855c384e5a970a2895363bd5c8db9088977d129... file Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active url Active ip Active
gpoaccess.com domain Active
https://symantke.com/ url Active
symantke.com domain Active
webb-institute.com domain Active
dslogconfig.pm domain Active
sessionserver.pl domain Active
sessionserver.sh domain Active ip Active
3d97f55a03ceb4f71671aa2ecf5b24e9 file Active
677c1aa6e2503b56fe13e1568a814754 file Active
6de651357a15efd01db4e658249d4981 file Active
d0c7a334a4d9dcd3c6335ae13bee59ea file Active
030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2... file Active
39ead6055306739ab969a3531bde2050f556b05e500894b... file Active
45c9578bbceb2ce2b0f10133d2f3f708e78c8b7eb3c52ad... file Active
47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e... file Active
4cba272d83f6ff353eb05e117a1057699200a996d483ca5... file Active
6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee... file Active
73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08e... file Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days


Avg 0