Ivanti, the well-known provider of IT asset and service management solutions, has issued critical security updates for its products Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC).
These updates address multiple vulnerabilities, including medium, high, and critical severity issues, which, if exploited, could lead to denial of service (DoS), privilege escalation, and even remote code execution (RCE).
The company urges users to apply the patches immediately, though it reassures that there are currently no known cases of active exploitation of these vulnerabilities in the wild.
Summary of Vulnerabilities
Ivanti has identified and patched a wide range of vulnerabilities affecting its products, including stack-based buffer overflows, use-after-free bugs, command injections, and incorrect file permissions.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Some of the most severe vulnerabilities could allow attackers to gain administrative privileges or execute arbitrary code on affected systems.
Below is a detailed list of the vulnerabilities, along with their CVE numbers, descriptions, CVSS scores, and the affected products.
CVE Number | Description | CVSS Score (Severity) | Impacted Product(s) |
CVE-2024-38655 | Argument injection allowing a remote authenticated attacker with admin privileges to achieve remote code execution. | 9.1 (Critical) | Connect Secure & Policy Secure |
CVE-2024-38656 | Argument injection allowing a remote authenticated attacker with admin privileges to achieve RCE in older versions. | 9.1 (Critical) | Connect Secure & Policy Secure |
CVE-2024-39710 | Argument injection enabling RCE by remote authenticated admin attackers. | 9.1 (Critical) | Connect Secure & Policy Secure |
CVE-2024-11007 | Command injection allowing a remote authenticated attacker with admin privileges to execute arbitrary commands on the system. | 9.1 (Critical) | Connect Secure & Policy Secure |
CVE-2024-11006 | Command injection allowing RCE via remote admin attackers in vulnerable versions. | 9.1 (Critical) | Connect Secure & Policy Secure |
CVE-2024-11005 | Command injection allowing RCE by remote admin attackers. | 9.1 (Critical) | Connect Secure & Policy Secure |
Affected Versions and Patch Availability
Ivanti has released patches to address all identified vulnerabilities. The following table outlines the affected versions and the corresponding resolved versions:
Product Name | Affected Version(s) | Resolved Version(s) | Patch Availability |
Ivanti Connect Secure (ICS) | 22.7R2.2 and prior | 22.7R2.3 | Ivanti Portal |
Ivanti Policy Secure (IPS) | 22.7R1.1 and prior | 22.7R1.2 | Ivanti Portal |
Ivanti Secure Access Client (ISAC) | 22.7R3 and prior | 22.7R4 | Ivanti Portal |
Ivanti recommends that users of the affected products immediately update their systems to the latest patched versions to mitigate the risk of exploitation.
Ivanti customers can download the patches from the Ivanti support portal. Given the critical nature of some of these vulnerabilities, particularly the risk of remote code execution, administrators need to prioritize these updates and ensure their environments are secured.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!