Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Increased Threat Activity Targeting Ivanti Vulnerabilities

A recent surge in activity targeting Ivanti Connect Secure (ICS) involves chaining two vulnerabilities that give threat actors the ability to execute arbitrary commands remotely.
Jason Hill
2 min read
Last updated March 20, 2024
hand coming out of Invanti logo to symbolize threat actor

Varonis Threat Labs has seen a recent surge in threat actor activity targeting Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure VPN gateways.

The incidents involve chaining two vulnerabilities — CVE-2023-46805, an authentication bypass, and CVE-2024-21887, a command injection vulnerability — that lead to threat actors gaining the ability to remotely execute arbitrary commands.

Details of these vulnerabilities were publicly disclosed on January 10, 2024, and were quickly followed by the release of proof-of-concept (POC) code (POC 1, POC 2) as exploit modules for the popular Metasploit attack framework.

Initial reports indicate that a threat actor began exploiting targets as early as December 2023, with increased activity continuing as more cybercriminals incorporate these exploits and techniques into their attack toolsets.

This information, coupled with a recent Shodan query that indicates that nearly thirty thousand appliances might be online, underscores the need for organizations to ensure they are adequately prepared for and protected from today’s cyber threats.


Shodan query for potential Ivanti deployments

Today’s threat landscape

Initial incidents involving the Ivanti vulnerabilities were attributed to a suspected Chinese-nexus threat actor known as ‘UTA0178’ and ‘UNC5221,’ along with recent activity being linked to a financially motivated threat actor dubbed ‘Magnet Goblin’ by Check Point.

Amongst the worldwide reports of organizations being targeted and compromised by various threat actors, the United States Cybersecurity and Infrastructure Security Agency (CISA) recently confirmed that it had identified malicious activity arising from the compromise of its own Ivanti products.

The CISA incident details are somewhat vague currently, but it is understood that threat actors have stolen credentials from compromised appliances and deployed webshells and reverse shells to gain and maintain persistence.

We continue to see threat actors using data exfiltration in the current threat landscape that are motivated by espionage and financial gain. Those motivated by financial gains often engage in ransomware and data extortion campaigns that quickly leverage emerging exploits to gain access to an organization’s data assets.

Regardless of who is responsible or what their motivations are, organizations should continue to act promptly, minimizing the window of exposure between vulnerability disclosure and remediation.


The attack chain commences with the exploitation of CVE-2023-46805, a high-severity authentication bypass vulnerability with a CVSSv3 base score of 8.2, affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x.

As demonstrated in the publicly available Metasploit module, a target appliance can be queried on a specific API endpoint to determine its vulnerability based on the HTTP response. If vulnerable, the API endpoint can be manipulated to traverse the directory structure and access a sensitive endpoint for further exploitation.


Following the authentication bypass, CVE-2024-21887 — a critical severity command injection vulnerability with a CVSSv3 base score of 9.1 — sends specially crafted requests that execute arbitrary commands on the affected appliance.

Without CVE-2023-46085, exploitation of this vulnerability would require authentication as an administrator, hence the severity when chained with the authentication bypass.

Based on a secondary public Metasploit module, this vulnerability arises from using the XMLTooling library that can be exploited with a Server-Side Request Forgery (SSRF).


In addition to assuming that a vulnerable device may have already been compromised, including the potential for rootkit-level persistence, CISA encourages organizations to believe that user and service account credentials within the affected appliance are also compromised.

In the first instance, organizations utilizing potentially vulnerable appliances should review both the updated Ivanti article and the Recovery Steps article for details of available patches, mitigations, and recovery steps, along with their Integrity Checker Tool (ICT).

When considering the use of Ivanti’s ICT, both Ivanti themselves and multiple national cybersecurity teams warn that the tool provides a point-in-time snapshot of the affected appliance and, as such, may not detect threats if the threat actor has restored it to a clean state.

Furthermore, it is recommended that organizations utilize Ivanti’s external ICT to avoid any malicious manipulation of results alongside continuous monitoring.

At Varonis, our Managed Detection and Response (MDDR) team helps mitigate complex threats to your most valuable asset: data.

We protect your business from material data breaches with 24x7x365 incident response, alert monitoring, and security posture management from Varonis data security experts.

Learn more about Varonis MDDR and schedule a quick demo with our team to reduce your risks without taking any.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

SecurityRWD - Introduction to AWS Identity and Access Management (IAM)
Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team compare and contrast Amazon Web Services Identity and Access Management against a traditional on-prem setup with Active Directory. Listen in as the team discusses how AWS IAM goes beyond simple user and group management to creating an entire network and defining access to network resources and infrastructure.
Threat Update 66 - Not The "Cloud Solution" You Are Expecting
To celebrate Thanksgiving in the U.S., Kilian and Ryan discuss a solution that contains the closest thing they can find to actual tiny clouds, as well as additional elements necessary...
Threat Update #10
An alert notifies you that something suspicious is going on. Minutes matter, so you call the Varonis Incident Response team to help. Security investigators must act fast, but where do...
Rogue Shortcuts: LNK'ing to Badness
Learn how threat actors continue to manipulate Windows shortcut files (LNKs) as an exploit technique.