Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-46805 PoC — Ivanti ICS 授权问题漏洞

Source
https://github.com/yoryio/CVE-2023-46805
Associated Vulnerability
Title:Ivanti ICS 授权问题漏洞 (CVE-2023-46805)
Description:An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
Description
CVE-2023-46805 scanner for possible vulnerable Ivanti Connect Secure appliances by country using Shodan.
Readme
# CVE-2023-46805 Scanner

CVE-2023-46805 Scanner for *possible* vulnerable Ivanti Connect Secure appliances by country using Shodan. 

Script version: 1.3

Updated with the recent blog post made by [Assetnote](https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce)

⚠️ This script is for defensive purposes and should be used by cybersecurity professionals to identify possible vulnerable ICS appliances and make contact as soon as possible with the affected organizations.

If one of the IPs appeared as a *Vulnerable ICS Appliance* please apply the mitigations developed by [Ivanti](https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US) also, it's important to check the integrity of your files with the tool [Integrity Checker Tool](https://forums.ivanti.com/s/article/KB44755?language=en_US)


# Help

To use the script, you should have installed the Shodan Python library:

```
pip install shodan
```

```
usage: CVE-2023-46805 Scanner [-h] -c COUNTRY

Quick scanner for possible vulnerable Ivanti Connect Secure appliances by country using Shodan.

options:
  -h, --help            show this help message and exit
  -c COUNTRY, --country COUNTRY
                        Country code (like CL, US, CA, BR)

Please make sure that you are using a valid Shodan API Key
```
(It's possible to add more than one country to the scan followed by a `,` without spaces)

Example: `python ivanti.py -c US,BR,ES`


# Shodan

Shodan Query: `http.favicon.hash:-1439222863 country:country_code`

# Vulnerability Intelligence

Please refer to the following CVEs for more information:

### [CVE-2023-46805](https://nvd.nist.gov/vuln/detail/CVE-2023-46805)
- CVSS: **8.2**
- Impact: **Authentication Bypass**
- Description: *Allows a remote attacker to access restricted resources by bypassing control checks.*

### [CVE-2024-21887](https://nvd.nist.gov/vuln/detail/CVE-2024-21887)
- CVSS: **9.1**
- Impact: **Command Injection**
- Description: *Allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.*

Based on the blog post by watchTowr Labs!:

[Welcome To 2024, The SSLVPN Chaos Continues - Ivanti CVE-2023-46805 & CVE-2024-21887](https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/)

At the moment, the vulnerabilites are being exploited massively:

[Volexity - Ivanti Connect Secure VPN Exploitation Goes Global](https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/)

By: yoryio
File Snapshot

 [4.0K]  /data/pocs/a0b0ab78119dbc7e49f0b88471de02761cb07ae2
├── [2.9K]  CVE-2023-46805.py
└── [2.7K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →