What We Do
How We Do
Get Started
Security advisories

Third Ivanti Zero-Day Vulnerability (CVE-2024-21893)

January 31, 2024 | 2 MINS READ

Speak With A Security Expert Now



On January 31st, Ivanti disclosed a new actively exploited vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA devices. The exploited vulnerability is tracked as follows: CVE-2024-21893 (CVSS: 8.2) - Server-Side Request Forgery vulnerability. If exploited, an unauthenticated threat actor may access restricted resources on vulnerable devices. The official advisory states that Ivanti is aware of “a small number of customers” that have been impacted via exploitation of this vulnerability.

Ivanti has released security patches to address some of the impacted versions; additional security patches will be released in a staggered approach. At this time, exploitation appears to be limited and targeted in nature. Due to the rapid adoption of past Ivanti zero-day vulnerabilities by threat actors, widespread exploitation of CVE-2024-21893 should be expected in the immediate future.

What we’re doing about it

What you should do about it

Additional information

In addition to CVE-2024-21893, Ivanti disclosed a second vulnerability tracked as CVE-2024-21888 (CVSS: 8.8). This is a privilege escalation vulnerability impacting Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x). Exploitation would allow an authenticated user to elevate their privileges to the level of administrator. There is currently no indication of real-world attacks involving CVE-2024-21888.

CVE-2024-21893 - Impacted Product List:

CVE-2024-21893 is suspected to be related to two previously disclosed Ivanti zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). These vulnerabilities were disclosed on January 10th, with initial exploitation traced back to early December 2023. The transition from targeted attacks to widespread exploitation occurred only a single day after the vulnerabilities were publicly disclosed. The initial exploitation of CVE-2023-46805 and CVE-2024-21887 was attributed to a China-nexus, espionage threat actor dubbed UNC5221.

Details on the exploitation of CVE-2024-21893 are currently minimal, but it is probable that exploitation of all three vulnerabilities is related. The eSentire Threat Intelligence team assesses with high confidence that CVE-2024-21893 will be adopted by additional threat actor groups and used in widespread attacks in the immediate future.


[1] https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
[2] https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
[3] https://digital.nhs.uk/cyber-alerts/2024/cc-4446
[4] https://www.esentire.com/security-advisories/ivanti-zero-day-vulnerabilities-cve-2023-46805-and-cve-2024-21887
[5] https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day

View Most Recent Advisories