Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Summary
| CVE | CVE-2023-46805 |
|---|---|
| State | RESERVED |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-01-10 00:00:00 UTC |
| Updated | 2023-10-27 02:09:44 UTC |
| Description | Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability. |
Risk And Classification
EPSS: 0.944130000 probability, percentile 0.999780000 (date 2026-04-21)
CISA KEV: Listed on 2024-01-10; due 2024-01-22; ransomware use Known
CISA Known Exploited Vulnerability
| Vendor | Ivanti |
|---|---|
| Product | Connect Secure and Policy Secure |
| Name | Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability |
| Required Action | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| Notes | Please apply mitigations per vendor instructions. For more information, please see: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2023-46805 |
There are no known software configurations currently associated with this CVE in NVD or the CVE Program record.
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.