CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-2

CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

On January 31, Ivanti disclosed two new CVEs in its Connect Secure (formerly Pulse Connect Secure) and Policy Secure products:

CVE-2024-21888 - Ivanti Connect Secure and Ivanti Policy Secure Privilege Escalation Vulnerability
CVE-2024-21893 - Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Server-Side Request Forgery (SSRF) Vulnerability

These vulnerabilities were discovered as part of their investigation of CVE-2023-46805 and CVE-2024-21887 as discussed in our previous blog post.

According to Ivanti, zero-day exploitation of three of these four flaws have been observed in the wild. At this time, Ivanti has released patches to address all four of these vulnerabilities and additional patches are expected to be released in the future.

For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.

Cyber Exposure Alerts

Vulnerability Watch

Forum Discussion

CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-2

Recent Discussions

FAQ on Exploited Zero-Day Flaws in Cisco ASA and FTD Devices (CVE-2025-20333, CVE-2025-20362)

Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)

Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks

CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild

CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability

Americas

Europe

Asia / Australia