CVE Database · CVE-2024-21887
CVSS v3.1
9.1
EPSS
100.00%
Published
Jan 12, 2024
Modified
Oct 31, 2025
CISA Known Exploited Vulnerability
Added: 2024-01-10 · Due: 2024-01-22
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Public PoC / Exploit (10)
All weaponized →Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HWeaknesses (CWE)
Affected Products (81)
References (5)
...and 31 more