On January 10, 2024, Ivanti disclosed two zero-day vulnerabilities affecting its Connect Secure (formerly Pulse Connect Secure) and Policy Secure gateway products. The vulnerabilities, tracked as CVE-2023-46805 (authentication bypass, CVSS 8.2) and CVE-2024-21887 (command injection, CVSS 9.1), were already being actively exploited in the wild when the advisory dropped. Security firm Volexity had been tracking exploitation activity since early December 2023, attributed to a suspected Chinese state-sponsored threat actor designated UTA0178.
The Vulnerability Chain
What made this pair of flaws particularly dangerous was how they complemented each other. CVE-2023-46805 allowed an attacker to bypass authentication checks on the web management interface. On its own, that gets you in the door but limits what you can do. CVE-2024-21887, on the other hand, was a command injection vulnerability in the web components of the appliance that required authentication to exploit.
Chain them together, and you have unauthenticated remote code execution on a device that sits at the edge of your network, handling VPN connections for your entire workforce.
The authentication bypass worked by manipulating path traversal sequences to access restricted API endpoints. Once past the auth check, the command injection flaw allowed arbitrary command execution via specially crafted requests to specific API endpoints. The attacker could send a single HTTP request that would bypass authentication and inject commands in one shot.
What Attackers Did With Access
Volexity's investigation revealed that UTA0178 used the access to deploy webshells, harvest credentials, and move laterally into victim networks. Specifically, the attackers:
- Deployed the GLASSTOKEN webshell to maintain persistent access
- Modified legitimate Ivanti components to capture credentials in plaintext
- Dumped the running configuration, which contained cached Active Directory credentials
- Used stolen credentials to pivot to internal systems via RDP and SMB
- Accessed internal web applications and file shares
The attackers also took steps to cover their tracks. They tampered with Ivanti's built-in Integrity Checker Tool (ICT), clearing logs and modifying files to make the compromised appliance appear clean during integrity scans.
The Patching Debacle
What made the situation worse was the timeline. Ivanti disclosed the vulnerabilities on January 10 but did not have patches ready. Instead, they released a mitigation in the form of an XML configuration file that could be imported to block exploitation attempts. Full patches were not released until January 31 for some versions, with other versions following through February.
CISA took the unusual step of issuing Emergency Directive 24-01 on January 19, ordering all federal agencies to apply the mitigations within 48 hours. By January 31, after evidence emerged that the mitigations could be bypassed and that attackers were mass-exploiting the flaws, CISA issued a supplemental direction ordering agencies to disconnect Ivanti Connect Secure and Policy Secure products from their networks entirely.
The scale was staggering. Shadowserver Foundation scans in mid-January identified over 20,000 Ivanti Connect Secure instances exposed to the internet. Mandiant reported that exploitation had shifted from targeted espionage to broad opportunistic attacks, with multiple threat actors piling on once the vulnerability details became widely understood.
Why VPN Appliances Keep Getting Hit
This incident fits a pattern that security teams should recognize by now. Edge network devices like VPN concentrators, firewalls, and email gateways are some of the most targeted assets in any organization. The reasons are straightforward:
They must be internet-facing. Unlike most internal services, VPN appliances are designed to accept connections from the internet. You cannot hide them behind another firewall.
They handle authentication. VPN devices are trust boundaries. Compromising one often gives you valid credentials and network access that bypasses most internal security controls.
They run complex software stacks. Modern VPN appliances are essentially web applications running on embedded Linux. They have web servers, APIs, databases, and custom application logic, all of which can contain vulnerabilities.
Patching is operationally difficult. Taking a VPN appliance offline for patching means cutting off remote access for your users. Organizations often delay patching these devices because the business impact of downtime is immediate and visible.
Visibility is limited. Many organizations lack the ability to run endpoint detection and response (EDR) agents on network appliances. Traditional antivirus does not work on these devices. You are often relying on the vendor's own integrity checking tools, which, as this incident demonstrated, can be subverted.
Lessons for Defenders
The Ivanti zero-day campaign reinforced several defensive principles. First, network segmentation matters. Organizations where the VPN appliance had limited access to internal resources fared much better than those where VPN users landed on a flat network.
Second, monitoring for anomalous outbound connections from edge devices should be standard practice. In Volexity's investigation, the compromised appliances were making unusual outbound connections that should have triggered alerts.
Third, assume breach when dealing with edge device vulnerabilities. If you were running a vulnerable Ivanti appliance during the exploitation window, checking whether your mitigations were applied is not enough. You need to conduct a thorough investigation of the device and any systems it could reach.
How Safeguard.sh Helps
Safeguard.sh provides continuous vulnerability monitoring that tracks CVEs like CVE-2024-21887 and CVE-2023-46805 as soon as they are published. Our SBOM-driven approach means you can instantly identify whether your software inventory includes affected Ivanti versions and prioritize patching based on actual exposure. When CISA issues emergency directives, Safeguard.sh maps them against your asset inventory so you know exactly which devices need attention, not days later after manual audits, but in minutes. For organizations managing complex perimeter infrastructure, that speed difference can mean the difference between a contained incident and a full network compromise.