CVE-2021-44529

CRITICAL KEV RANSOMWARE NUCLEI

Ivanti Endpoint Manager Cloud Services Appliance < 4.5 - Unauthenticated Remote Code Execution

Title source: llm

Exploitation Summary

CVE-2021-44529 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2024, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including d7x, jkana, jax7sec, including a Metasploit module exploits/linux/http/ivanti_csa_unauth_rce_cve_2021_44529. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a remote code execution vulnerability in Ivanti Endpoint Manager 4.6 by injecting a base64-encoded command into a cookie parameter. The payload is executed server-side, and the output is retrieved via a specific HTML tag in the response.

Description

A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

Exploits (4)

exploitdb WORKING POC

by d7x · textremotemultiple

https://www.exploit-db.com/exploits/50833

View Code ZIP pw:eip

This exploit leverages a remote code execution vulnerability in Ivanti Endpoint Manager 4.6 by injecting a base64-encoded command into a cookie parameter. The payload is executed server-side, and the output is retrieved via a specific HTML tag in the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Ivanti Endpoint Manager 4.6

No auth needed

Prerequisites: Network access to the target server · Vulnerable version of Ivanti Endpoint Manager

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 5 stars

by jkana · remote

https://github.com/jkana/CVE-2021-44529

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in Ivanti Cloud Service Appliance (CSA) by encoding a malicious command in a base64 cookie, which is then executed on the target server. The response is parsed to extract the command output.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Ivanti Cloud Service Appliance (CSA) 4.6, 4.5 (EOF Aug 2021)

No auth needed

Prerequisites: Target URL must be accessible · Python 3 environment with 'requests' library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by jax7sec · remote

https://github.com/jax7sec/CVE-2021-44529

View Code ZIP pw:eip

This PoC exploits a code injection vulnerability in Ivanti EPM Cloud Services Appliance (CSA) by encoding a system command in base64 and passing it via a cookie, allowing unauthenticated arbitrary code execution with limited privileges (nobody). The script sends a crafted request and extracts the command output from the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Ivanti EPM Cloud Services Appliance (CSA)

No auth needed

Prerequisites: Network access to the target · Python environment with requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Jakub Kramarz · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_csa_unauth_rce_cve_2021_44529.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Ivanti Cloud Services Appliance (CSA) before version 4.6.0-512. It leverages a cookie-based code injection to execute arbitrary commands as the 'nobody' user.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ivanti Cloud Services Appliance (CSA) before 4.6.0-512

No auth needed

Prerequisites: Network access to the target · Target running vulnerable version of Ivanti CSA

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ivanti EPM Cloud Services Appliance Code Injection

CRITICALby duty_1g,phyr3wall,Tirtha

Shodan: title:"LANDesk(R) Cloud Services Appliance" || http.title:"landesk(r) cloud services appliance"

FOFA: title="landesk(r) cloud services appliance"

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/166383/Ivanti-Endpoint-Manager-CSA-4.5-4.6-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/170590/Ivanti-Cloud-Services-Appliance-CSA-Command-Injection.html

Mitigation, Patch, Vendor Advisory

https://forums.ivanti.com/s/article/SA-2021-12-02

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44529

Scores

CVSS v3 9.8

EPSS 0.9446

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-03-25

VulnCheck KEV 2024-02-29

InTheWild.io 2024-03-25

ENISA EUVD EUVD-2021-31360

Ransomware Use Confirmed

CWE

CWE-94

Status published

Products (2)

ivanti/endpoint_manager_cloud_services_appliance 4.6

ivanti/endpoint_manager_cloud_services_appliance < 4.5

Published Dec 08, 2021

KEV Added Mar 25, 2024

Tracked Since Feb 18, 2026