Overview
Two critical vulnerabilities in Ivanti Connect Secure (formerly Pulse Secure) VPN appliances are being actively exploited in the wild by suspected Chinese nation-state threat actors. The flaws — an authentication bypass (CVE-2024-21887) and a command injection (CVE-2023-46805) — can be chained to achieve unauthenticated remote code execution.
Technical Details
| CVE | Type | CVSS | Exploited |
|---|---|---|---|
| CVE-2024-21887 | Command Injection | 9.1 | Yes |
| CVE-2023-46805 | Auth Bypass | 8.2 | Yes |
Attackers are using the exploit chain to deploy WIREFIRE web shells and ZIPLINE passive backdoors, enabling persistent access even after factory resets.
Observed TTPs
- Initial Access: Exploit chain via internet-exposed Ivanti appliances
- Persistence: WIREFIRE web shell embedded in legitimate Ivanti CGI paths
- Defense Evasion: Log tampering using WARPWIRE credential harvester
- Lateral Movement: Credential dumping via ZIPLINE and internal network scanning
Affected Versions
All Ivanti Connect Secure versions prior to 22.7R2.5 are vulnerable. Ivanti Policy Secure and ZTA Gateways share related attack surface.
Recommended Actions
- Immediately run Ivanti's Integrity Checker Tool — factory reset is insufficient if WIREFIRE is present.
- Apply available patches or follow Ivanti's XML mitigation workaround.
- Rotate all credentials accessible from or stored on the appliance.
- Review VPN logs for anomalous GET/POST requests to
/api/v1/totp/user-backup-code/paths. - Isolate affected appliances and perform forensic review before returning to service.
Source: DailyCyberAlert intelligence synthesis from 20 years of historical threat data.