Ivanti Connect Secure RCE: Internal Network Vulnerability Detection

The vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways have redefined the threat landscape for edge appliances. While initial response efforts focused on internet-facing interfaces, recent analysis from SANS ISC highlights a critical gap: internal network exposure. Attackers who have already established a foothold within a network may use Lateral Movement to target the internal management interfaces of these gateways, potentially leading to a broader Supply Chain Attack or domain compromise.

The vulnerability chain consists of CVE-2023-46805, an authentication bypass flaw, and CVE-2024-21887, a high-severity command injection vulnerability. When exploited together, these flaws allow an unauthenticated APT group to achieve RCE with high privileges. This Ivanti Connect Secure RCE mitigation guide emphasizes that simply patching the external interface is insufficient if the appliance remains reachable and unpatched on the internal side.

Internal Network Vulnerability Scanning for Ivanti

To identify vulnerable instances that may not be recorded in centralized asset inventories, security teams should perform active discovery across all internal subnets. The SOC should utilize automated tools to probe for specific web paths unique to Ivanti appliances. According to technical research, a simple curl command targeting the /dana-na/ directory can reveal the presence of the gateway, even if it is not explicitly labeled in DNS.

However, discovery is only the first step. To understand how to detect CVE-2023-46805 exploit readiness, analysts should look for the accessibility of the REST API endpoints. Specifically, the endpoint /api/v1/configuration/users/user-roles should not be accessible without valid credentials. If a request to this URI returns a 200 OK status and a JSON payload instead of a redirect to a login page, the appliance is likely vulnerable to the authentication bypass and requires immediate intervention.

Analyzing the Exploit Chain and IoC Signals

The command injection flaw, CVE-2024-21887, is particularly dangerous because it permits the execution of arbitrary system commands via the management API. Analysts monitoring SIEM logs should prioritize any outbound connection attempts originating from the Ivanti appliance to unknown external C2 infrastructure. These connections often indicate that the appliance has been compromised and is attempting to fetch second-stage malware or beacon to an attacker-controlled server.

Common IoC patterns observed in the field include the modification of legitimate Python scripts on the appliance to maintain persistence. Since these devices often lack traditional EDR coverage, defenders must rely on the Ivanti Integrity Checker Tool (ICT). This tool compares the current file system against a known-good baseline to detect unauthorized changes, which is a vital component of a Zero Trust security architecture.

Mitigation and Remediation Strategy

The CVSS scores for these vulnerabilities reflect their critical nature, as they allow for full system takeover without user interaction. Organizations must prioritize the following actions:

• Deploy the latest Ivanti firmware updates which resolve the underlying vulnerabilities.
• If patching is not immediately feasible, apply the Ivanti-provided XML mitigation file to disable the affected API functionality temporarily.
• Restrict internal access to the management interface using granular firewall rules or a Zero Trust Network Access (ZTNA) solution.

By integrating these steps into a standard MITRE ATT&CK framework response, organizations can significantly reduce the risk of secondary exploitation and ensure that lateral movement within the data center is contained.