Ivanti Connect Secure Backdoor Analysis Report

This document is a CERT report detailing the discovery and analysis of a backdoor injected into Ivanti appliances through a Server-Side Request Forgery (SSRF) vulnerability, specifically CVE-2024-21893. The report outlines the method of exploitation, which involves unauthorized access to the backdoor via an API key mechanism, allowing attackers to execute commands with high privileges. The report provides a timeline of events, starting from the initial detection of the vulnerability on January 31, 2024, through the identification of compromised assets on February 3, 2024. It describes the technical details of the backdoor's functionality, including the commands executed by attackers to confirm root access. Additionally, it discusses the ongoing monitoring and investigation efforts by Orange Cyberdefense in response to these vulnerabilities. The report emphasizes the importance of applying the recommended mitigations and patches to protect against such exploits.