Mirai botnet also spreads through the exploitation of Ivanti Connect Secure bugs

Pierluigi Paganini May 09, 2024

Threat actors exploit recently disclosed Ivanti Connect Secure (ICS) vulnerabilities to deploy the Mirai botnet.

Researchers from Juniper Threat Labs reported that threat actors are exploiting recently disclosed Ivanti Connect Secure (ICS) vulnerabilities CVE-2023-46805 and CVE-2024-21887 to drop the payload of the Mirai botnet.

In early January, the software firm reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

The Juniper Threat Labs researchers observed threat actors exploiting the CVE-2023-46805 vulnerability to gain access to the end point “/api/v1/license/key-status/;” Then the attackers exploited the command injection issue to inject their payload.

Below is the request employed in the attacks observed by the experts:,

GET /api/v1/totp/user-backup-code/../../license/keys-status/{Any Command}

“Others have observed instances in the wild where attackers have exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems. More recently, we have encountered Mirai payloads delivered through shell scripts.” reads the analysis published by the experts.

One of the requests observed by the researchers includes an encoded URL that, when decoded, reveals a command sequence attempting to wipe files, download a script from a remote server, set executable permissions, and execute the script.

Then script navigates through system directories, downloads a file from a specific URL, grants permission to execute it, and runs it with a specific argument. The researchers analyzed the payloads and identified them as Mirai bots.

“The increasing attempts to exploit Ivanti Pulse Secure’s authentication bypass and remote code execution vulnerabilities are a significant threat to network security. The discovery of Mirai botnet delivery through these exploits highlights the ever-evolving landscape of cyber threats. The fact that Mirai was delivered through this vulnerability will also mean the deployment of other harmful malware and ransomware is to be expected. Understanding how these vulnerabilities can be exploited and recognizing the specific threats they pose is crucial for protecting against potential risks.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mirai botnet)

you might also like

leave a comment