Published: January 16, 2024


There are two vulnerabilities discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure gateways. They are identified as CVE-2023-46805 (CVSS 8.2 – High) and CVE-2024-21887 (CVSS 9.1 – Critical).


These vulnerabilities allow hackers to bypass control checks, gaining access to restricted resources and sending commands to a device, respectively. These exploits could result in data theft, file tampering, and other malicious activities.

Applicable Versions

Affected VersionUpdated Version
Version 9.x and 22.x  Update to latest patches.

Mitigations and Workarounds

Ensure that the application version is not End of Life (EOL). Pulse Secure will apply fixes for product security vulnerabilities to all software releases that have not surpassed the End of Engineering (EOE) or End of Life (EOL) milestones. 

Best Practices

It is recommended to verify if the application version has support from Ivanti. If not, upgrade the version to a supported one and then apply the available fixes.

Netsurion Detection and Response

Netsurion researchers are continuously monitoring the exploits of these vulnerabilities. Netsurion’s vulnerability management system will detect the vulnerabilities CVE-2023-46805 and CVE-2024-21887 for customers who have subscribed to Netsurion Vulnerability Management.