CVE-2024-21893 - Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Project:Ivanti
Product:Connect Secure, Policy Secure, and Neurons
Date Added:2024-01-31Due Date:2024-02-02
Vulnerability Name
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Description
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
https://nvd.nist.gov/vuln/detail/CVE-2024-21893
Related News Articles
Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber AttackMarch 12, 2025
Ivanti fixes maximum severity RCE bug in Endpoint Management softwareSeptember 11, 2024
Ivanti warns of critical vTM auth bypass with public exploitAugust 13, 2024
Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability - Patch ASAP!June 26, 2024
Chemical facilities warned of possible data theft in CISA CSAT breachJune 25, 2024