vulnerability
Pulse Secure Pulse Connect Secure: CVE-2023-46805 (Authentication Bypass) and CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:M/C:C/I:C/A:C) | Jan 10, 2024 | May 21, 2024 | Mar 26, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:M/C:C/I:C/A:C)
Published
Jan 10, 2024
Added
May 21, 2024
Modified
Mar 26, 2026
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Solutions
pulse-secure-pulse-connect-secure-upgrade-22_1r6_1pulse-secure-pulse-connect-secure-upgrade-22_2r4_1pulse-secure-pulse-connect-secure-upgrade-22_3r1_1pulse-secure-pulse-connect-secure-upgrade-22_4r2_3pulse-secure-pulse-connect-secure-upgrade-22_5r2_3pulse-secure-pulse-connect-secure-upgrade-22_6r2_2pulse-secure-pulse-connect-secure-upgrade-9_1r18_4
References
- CVE-2024-21887
- https://attackerkb.com/topics/CVE-2024-21887
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-19498
- CWE-77
- EUVD-EUVD-2024-19498
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.