CVE-2024-21893

HIGH KEV RANSOMWARE NUCLEI

Ivanti SAML - Server Side Request Forgery (SSRF)

Title source: nuclei

Exploitation Summary

CVE-2024-21893 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 31, 2024, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including h4x0r-dz, Chocapikk, sfewer-r7, including a Metasploit module exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-21893, an SSRF vulnerability in Ivanti Connect Secure and Ivanti Policy Secure. The exploit crafts a malicious SOAP request with a manipulated SAML signature to trigger an external request to an attacker-controlled server, demonstrating the vulnerability.

Description

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Exploits (3)

nomisec WORKING POC 95 stars

by h4x0r-dz · infoleak

https://github.com/h4x0r-dz/CVE-2024-21893.py

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-21893, an SSRF vulnerability in Ivanti Connect Secure and Ivanti Policy Secure. The exploit crafts a malicious SOAP request with a manipulated SAML signature to trigger an external request to an attacker-controlled server, demonstrating the vulnerability.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), Ivanti Neurons for ZTA

No auth needed

Prerequisites: Network access to the target Ivanti appliance · Attacker-controlled server to receive the SSRF callback

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 26 stars

by Chocapikk · remote

https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-21893 (SSRF) and CVE-2024-21887 (RCE) in Ivanti Connect Secure appliances. The exploit uses a crafted SOAP request to trigger SSRF and command injection, leading to unauthenticated remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ivanti Connect Secure

No auth needed

Prerequisites: Python 3 · requests · pwncat · rich

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by sfewer-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb

View Code ZIP pw:eip

This Metasploit module chains CVE-2024-21893 (SSRF) and CVE-2024-21887 (command injection) to achieve unauthenticated RCE on Ivanti Connect Secure/Policy Secure. It exploits an SSRF in the xmltooling library to trigger a command injection in a Python backend service.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ivanti Connect Secure, Ivanti Policy Secure (versions 9.x, 22.x prior to Feb 1, 2024 patch)

No auth needed

Prerequisites: Network access to target · Target running vulnerable Ivanti Connect Secure/Policy Secure

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 22, 2026 Full analysis →

Nuclei Templates (1)

Ivanti SAML - Server Side Request Forgery (SSRF)

HIGHby DhiyaneshDk

Shodan: html:"welcome.cgi?p=logo" || http.title:"ivanti connect secure" || http.html:"welcome.cgi?p=logo"

FOFA: body="welcome.cgi?p=logo" || title="ivanti connect secure"

References (2)

Core 2

Core References

Vendor Advisory

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21893

Scores

CVSS v3 8.2

EPSS 0.9432

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2024-01-31

VulnCheck KEV 2024-01-15

InTheWild.io 2024-01-31

ENISA EUVD EUVD-2024-19504

Ransomware Use Confirmed

CWE

CWE-918

Status published

Products (5)

ivanti/connect_secure 9.0 (13 CPE variants)

ivanti/connect_secure 9.1 r1 (34 CPE variants)

ivanti/connect_secure 21.9 r1

ivanti/connect_secure 21.12 r1

ivanti/connect_secure 22.1 r1

Published Jan 31, 2024

KEV Added Jan 31, 2024

Tracked Since Feb 18, 2026