Blog

Ivanti fixes three critical flaws in Connect Secure & Policy Secure

3 hours ago
2 minutes read

Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.

The company learned about the flaws through its responsible disclosure program from security researchers at CISA and Akamai, and through the HackerOne bug bounty platform.

Ivanti notes in the security bulletin that it received no reports about any of the issues being actively exploited in the wild. However, it it recommends that users install the security updates as soon as possible.

The three critical security vulnerabilities Ivanti patched are the following:

  • CVE-2025-22467: Stack-based buffer overflow in ICS allows remote authenticated attackers with low privileges to execute code. (critical severity score of 9.9)

  • CVE-2024-38657: External control of a filename enables remote authenticated attackers to perform arbitrary file writing in ICS and IPS. (critical severity score of 9.1)

  • CVE-2024-10644: Code injection vulnerability enables remote authenticated attackers remote code execution in ICS and IPS. (critical severity score of 9.1)

Exploiting any of the three issues is possible from a remote location but an attacker needs to be authenticated. Furthermore, for two of them admin privileges are necessary to achieve remote code execution or to write arbitrary files.

Despite this, the risk is still considerable as insider threats or attackers who have stolen credentials via phishing, previous breaches, or via brute forcing passwords, can still leverage the flaws for malicious operations.

There are also five more flaws included in the bulletin, ranging from medium to high severity. Issues include cross-site scripting (XSS) issues, hardcoded keys, cleartext storage of sensitive data, and insufficient permissions.

The vulnerabilities impact ICS 22.7R2.5 and older, IPS 22.7R1.2 and older, and ISAC 22.7R4 and below. Details about which products are impacted by each flaw can be seen in the table below.

Table

The issues were addressed in ICS version 22.7R2.6, IPS version 22.7R1.3, and ISAC 22.8R1, which are the recommended upgrade targets for system administrators.

Ivanti has also acknowledged that the issue also impacts Pulse Connect Secure 9.x, but stated it does not plan to offer fixes for these products as their support period has ended,

“The Pulse Connect Secure 9.x version of the product reached End of Engineering June 2024 and has reached End-of-Support as of December 31, 2024,” Ivanti explains.

“Because of this, the 9.x version of Connect Secure no longer receives backported fixes,” the company added, encouraging customers to upgrade to version 22.7 of Ivanti Connect Secure.

Ivanti has not provided any mitigations for the patched flaws and applying the latest update is the recommended solution.


Source link

Tags
3 hours ago
2 minutes read

Related Articles

The Best Shoes to Wear When You’re Lifting Weights

19 minutes ago

How to set up Mobile Hotspot to share your internet on Windows 11

35 minutes ago

4 Best Dishwashing Sponges – Consumer Reports

42 minutes ago

This Rock Has an SSD in It

43 minutes ago

Want to Use ChatGPT Like a Pro? These Courses Can Help

1 hour ago

Adobe Firefly Video is here to take on Sora with new AI video generator

1 hour ago

Google will use machine learning to estimate a user’s age

3 hours ago

8Base ransomware members snared in global police crackdown

3 hours ago

Boxing Fitness Simulator Codes (February 2025)

4 hours ago

Georgia school district issues data breach notification after ransomware claim – SSNs & account numbers leaked

4 hours ago
Back to top button
close