This module chains together three vulnerabilities to deploy an agent. First, a vulnerability is used to obtain the exact version of Ivanti Connect Secure installed on the system. Next, the module exploits a second vulnerability that allows the attacker to access certain restricted resources without authentication, leveraging a flaw in the SAML component. Finally, the module uses a third vulnerability that enables remote code execution with elevated privileges in the management component, facilitating the injection and execution of the agent. This module uses the first vulnerability to take advantage of the lack of authentication at '/api/v1/totp/user-backup-code,' allowing unauthenticated access and route traversal. With this, the application version can be obtained by accessing '/system/system-information.' Next, it leverages an SSRF vulnerability in the xmltooling library. The '/dana-ws/saml20.ws' endpoint, which handles SOAP-based SAML requests, does not require authentication. This allows anyone to send requests to this endpoint without authentication, exploiting the SSRF vulnerability to send HTTP requests from the compromised server to internal resources. Finally, by sending a request to the SSRF-exploited endpoint, the third vulnerability is used to access the system and execute remote commands. The deployed agent will run with ROOT privileges.
CVE Link
Exploit Platform
Exploit Type
Product Name