How to Exploit CVE-2 — A Technical

Secably Research
Jul 18, 2026
5 min read
Vulnerability Research
Cve Cve-2 Exploiting Vulnerability

Exploiting CVE-2

Exploiting CVE-2 enables unauthenticated remote code execution on Ivanti Connect Secure and Ivanti Policy Secure gateways. This critical vulnerability chain combines an authentication bypass with a command injection flaw. Attackers gain full control over affected systems without prior authentication. The combined impact is severe, allowing complete system compromise. CVE-2 comprises two distinct vulnerabilities: an authentication bypass and a command injection. The authentication bypass, originally tracked as CVE-2023-46805, carries a CVSS score of 8.2 (High). The command injection, originally tracked as CVE-2024-21887, has a CVSS score of 9.1 (Critical). When chained, these vulnerabilities allow unauthenticated attackers to execute arbitrary commands on the appliance. All supported versions of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) are affected.

Technical Root Cause Analysis

The authentication bypass component of CVE-2 (CVE-2023-46805) resides in the web component of Ivanti Connect Secure and Policy Secure. It allows a remote attacker to access restricted resources by bypassing control checks. Specifically, the vulnerability exists in the `/api/v1/totp/user-backup-code` endpoint. This endpoint contains a path traversal flaw. Attackers can use this flaw to access public-facing areas without proper authentication by manipulating the URL path. The command injection component of CVE-2 (CVE-2024-21887) affects web components of Ivanti Connect Secure and Policy Secure. It allows an authenticated administrator to execute arbitrary commands by sending specially crafted requests. This vulnerability stems from improper validation of user-supplied input in the web interface. The flaw exists in the `/api/v1/license/key-status/;` API call. An attacker can inject malicious commands that the appliance executes without proper sanitization.

Exploitation Mechanics

Exploiting CVE-2 begins with the authentication bypass. An attacker sends a specially crafted HTTP GET request to a vulnerable endpoint. This request uses path traversal sequences to bypass authentication. For example, by targeting `/api/v1/totp/user-backup-code/../../system/system-information`, an unauthenticated attacker can retrieve system information. This initial bypass provides access to internal API endpoints that typically require authentication. Once authentication is bypassed, the attacker can leverage the command injection vulnerability. They send another specially crafted HTTP request, this time to an endpoint vulnerable to command injection. The `/api/v1/license/keys-status/` endpoint has been identified as vulnerable. An attacker injects commands into parameters that the system processes without sufficient validation. These commands execute with elevated privileges on the appliance. An example of a command injection payload, without weaponization, could involve injecting shell commands into a parameter that is then executed by the system. The command could be part of an HTTP POST request body. The system processes this input, leading to arbitrary command execution. This allows actions like modifying system files, stealing credentials, or deploying backdoors.

POST /api/v1/license/keys-status/;cmd=id HTTP/1.1
Host: vulnerable.ivanti.example.com
Content-Type: application/x-www-form-urlencoded
This crafted request, following the authentication bypass, would attempt to execute the `id` command on the underlying system. The response would indicate successful exploitation if the command output is returned. This chain provides a powerful foothold for attackers.

Detection

Detecting CVE-2 exploitation requires careful monitoring of Ivanti Connect Secure and Policy Secure gateways. Look for unusual log entries related to authentication attempts. Abnormal HTTP requests to management interfaces are also indicators of compromise. Specifically, monitor for requests containing path traversal sequences in URLs or suspicious command-like strings in API calls. Organizations should utilize Ivanti's Integrity Checker Tool (ICT). The ICT helps identify file modifications and other signs of compromise. However, attackers can manipulate the exclusion list of the ICT to evade detection. This makes continuous external scanning important. Secably offers a free website vulnerability scanner that can help identify exposed Ivanti instances and potential attack surface issues. Monitor outbound network traffic from VPN gateways for unexpected connections. Such traffic could indicate command-and-control (C2) communications or data exfiltration. Look for connections to unusual IP addresses or domains. Secably's free port scanner can help identify unexpected open ports on your perimeter, which could be indicative of a backdoor. Review system logs for the execution of unexpected commands or the presence of suspicious files. Threat actors have deployed custom malware and webshells after exploiting CVE-2. These artifacts include THINSPOOL, ZIPLINE, WARPWIRE, LIGHTWIRE, and WIREFIRE. The presence of these files or their related activities signals compromise. Consider using a tool like Zondex for internet-wide scanning to identify exposed services that might be vulnerable.

Remediation Steps

Ivanti released patches to address CVE-2. Applying these security patches is the top priority. Patches remediate both CVE-2023-46805 and CVE-2024-21887. Ivanti provided patches for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2, and for Policy Secure 22.5R1.1, and ZTA 22.6R1.3. Ivanti also provided a mitigation for systems awaiting patch installation. This mitigation is available via the standard download portal. Implement this mitigation immediately if patching is not yet complete. Organizations that have applied the patch do not need to apply the mitigation. If compromise is suspected, assume full device compromise and follow incident response procedures. This involves isolating affected systems, performing forensic analysis, and rebuilding from trusted backups. CISA issued a directive requiring U.S. federal agencies to disconnect Ivanti Connect Secure and Policy Secure products if patches were not applied by a specific deadline. This highlights the severity and urgency of remediation.

Timeline of Disclosure

On January 10, 2024, Ivanti disclosed two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887. Volexity and Mandiant also reported active exploitation of these vulnerabilities. These vulnerabilities were already being exploited in the wild by sophisticated threat actors. The Cybersecurity and Infrastructure Security Agency (CISA) added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog on January 10, 2024. This underscored the critical nature and active exploitation. Intense scanning for the vulnerability commenced on January 16, 2024. Ivanti began releasing patches for affected versions between January 22 and February 19, 2024. An updated external Integrity Checker Tool became available on April 3, 2024. This tool provides a decrypted snapshot of the appliance for customer review.

Check your site for vulnerabilities

Run a free security scan — no signup, results in seconds.

Related Posts

Stronger security starts with visibility.

Scan your website for vulnerabilities and get actionable insights.