Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could be exploited to achieve arbitrary code execution.
The list of vulnerabilities is below –
- CVE-2024-38657 (CVSS score: 9.1) – External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files
- CVE-2025-22467 (CVSS score: 9.9) – A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution
- CVE-2024-10644 (CVSS score: 9.1) – Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution
- CVE-2024-47908 (CVSS score: 9.1) – Operating system command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution
The shortcomings have been addressed in the below versions –
- Ivanti Connect Secure 22.7R2.6
- Ivanti Policy Secure 22.7R1.3
- Ivanti CSA 5.0.5
The company said it’s not aware of any of the flaws being exploited in the wild. However, with Ivanti appliances being repeatedly weaponized by malicious actors, it’s imperative that users take steps to apply the latest patches.
Ivanti also acknowledged that its edge products have been “targeted and exploited by sophisticated threat actor attacks” and that it’s making efforts to improve its software, implement secure-by-design principles, and raise the bar for potential abuse by adversaries.
“While these products are not the ultimate target, they are increasingly the route that well-resourced nation state groups are focusing their effort on to attempt espionage campaigns against extremely high-value organizations,” Ivanti CSO Daniel Spicer said.
“We have enhanced internal scanning, manual exploitation and testing capabilities, increased collaboration and information sharing with the security ecosystem, and further enhanced our responsible disclosure process, including becoming a CVE Numbering Authority.”
The development comes as Bishop Fox released full technical details of a now-patched security flaw in SonicWall SonicOS (CVE-2024-53704) that could be exploited to bypass authentication in firewalls and allow attackers to hijack active SSL VPN sessions in order to gain unauthorized access.
As of February 7, 2025, nearly 4,500 internet-facing SonicWall SSL VPN servers remain unpatched against CVE-2024-53704.
In a similar move, Akamai has published its discovery of two vulnerabilities in Fortinet FortiOS (CVE-2024-46666 and CVE-2024-46668) that an unauthenticated attacker can exploit to achieve denial-of-service (DoS) and remote code execution. The flaws were resolved by Fortinet on January 14, 2025.
Fortinet has since also revised its advisory for CVE-2024-55591 to highlight another flaw tracked as CVE-2025-24472 (CVSS score: 8.1) that could result in an authentication bypass in FortiOS and FortiProxy devices via a specially crafted CSF proxy request.
The company credited watchTowr Labs researcher Sonny Macdonald for discovering and reporting the flaw. It’s worth noting that the vulnerability has already been patched alongside CVE-2024-55591, meaning no customer action is required if fixes for the latter have already been applied.
