Ivanti Ivanti

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Ivanti product.

RSS Feeds for Ivanti security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Ivanti products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Ivanti Sorted by Most Security Vulnerabilities since 2018

Ivanti Connect Secure103 vulnerabilities

Ivanti Avalanche100 vulnerabilities

Ivanti Endpoint Manager71 vulnerabilities

Ivanti Policy Secure46 vulnerabilities

Ivanti Workspace Control19 vulnerabilities

Ivanti Secure Access Client15 vulnerabilities

Ivanti Endpoint Manager Mobile15 vulnerabilities

Ivanti Neurons For Itsm3 vulnerabilities

Ivanti Automation2 vulnerabilities

Ivanti Mobileiron Sentry1 vulnerability

Ivanti Docswork1 vulnerability

Ivanti Security Controls1 vulnerability

Ivanti Standalone Sentry1 vulnerability

Ivanti Zero Trust Access1 vulnerability

Known Exploited Ivanti Vulnerabilities

The following Ivanti vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library.
CVE-2025-4427 Exploit Probability: 81.0%
May 19, 2025
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library.
CVE-2025-4428 Exploit Probability: 21.1%
May 19, 2025
Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability Ivanti Connect Secure, Policy Secure and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2025-22457 Exploit Probability: 26.5%
April 4, 2025
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13159 Exploit Probability: 94.1%
March 10, 2025
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13160 Exploit Probability: 93.5%
March 10, 2025
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
CVE-2024-13161 Exploit Probability: 92.1%
March 10, 2025
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
CVE-2025-0282 Exploit Probability: 93.2%
January 8, 2025
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
CVE-2024-9379 Exploit Probability: 83.8%
October 9, 2024
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
CVE-2024-9380 Exploit Probability: 83.0%
October 9, 2024
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code.
CVE-2024-29824 Exploit Probability: 94.3%
October 2, 2024
Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.
CVE-2024-7593 Exploit Probability: 94.4%
September 24, 2024
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
CVE-2024-8963 Exploit Probability: 94.3%
September 19, 2024
Ivanti Cloud Services Appliance OS Command Injection Vulnerability Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
CVE-2024-8190 Exploit Probability: 91.3%
September 13, 2024
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).
CVE-2021-44529 Exploit Probability: 94.5%
March 25, 2024
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
CVE-2024-21893 Exploit Probability: 94.3%
January 31, 2024
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.
CVE-2023-35082 Exploit Probability: 94.5%
January 18, 2024
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
CVE-2024-21887 Exploit Probability: 94.4%
January 10, 2024
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
CVE-2023-46805 Exploit Probability: 94.4%
January 10, 2024
Ivanti Sentry Authentication Bypass Vulnerability Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
CVE-2023-38035 Exploit Probability: 94.4%
August 22, 2023
Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable).
CVE-2023-35081 Exploit Probability: 93.2%
July 31, 2023

Of the known exploited vulnerabilities above, 18 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 2 known exploited Ivanti vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

Top 10 Riskiest Ivanti Vulnerabilities

Based on the current exploit probability, these Ivanti vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank CVE EPSS Vulnerability
1 CVE-2023-35078 94.5% Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability
2 CVE-2023-35082 94.5% Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability
3 CVE-2021-44529 94.5% Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
4 CVE-2023-38035 94.4% Ivanti Sentry Authentication Bypass Vulnerability
5 CVE-2024-21887 94.4% Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
6 CVE-2024-7593 94.4% Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
7 CVE-2023-46805 94.4% Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
8 CVE-2020-15505 94.4% MobileIron Core, Connector, Sentry, and RDM Remote Code Execution Vulnerability
9 CVE-2024-21893 94.3% Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
10 CVE-2024-29824 94.3% Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability

By the Year

In 2025 there have been 24 vulnerabilities in Ivanti with an average score of 7.5 out of ten. Last year, in 2024 Ivanti had 162 security vulnerabilities published. Right now, Ivanti is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.33




Year Vulnerabilities Average Score
2025 24 7.45
2024 162 7.78
2023 60 8.63
2022 14 7.11
2021 27 8.20
2020 27 6.77
2019 28 7.66
2018 9 7.40

It may take a day or so for new Ivanti vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ivanti Security Vulnerabilities

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior

CVE-2025-4427 7.5 - High - May 13, 2025

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

Authentication Bypass Using an Alternate Path or Channel

Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms

CVE-2025-4428 8.8 - High - May 13, 2025

Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.

Code Injection

DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7

CVE-2025-22458 7.8 - High - April 08, 2025

DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System.

DLL preloading

Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7

CVE-2025-22459 4.8 - Medium - April 08, 2025

Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and servers.

Improper Certificate Validation

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7

CVE-2025-22461 7.2 - High - April 08, 2025

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.

SQL Injection

An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7

CVE-2025-22464 6.1 - Medium - April 08, 2025

An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition.

Untrusted Pointer Dereference

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7

CVE-2025-22465 6.1 - Medium - April 08, 2025

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required.

XSS

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7

CVE-2025-22466 9.6 - Critical - April 08, 2025

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

XSS

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2

CVE-2025-22457 9.8 - Critical - April 03, 2025

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

Memory Corruption

Insufficient permissions in Ivanti Secure Access Client before version 22.8R1

CVE-2024-13813 7.1 - High - February 11, 2025

Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files.

Incorrect Permission Assignment for Critical Resource

A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3

CVE-2024-13842 4.4 - Medium - February 11, 2025

A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.

Use of Hard-coded Cryptographic Key

Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3

CVE-2024-13843 4.4 - Medium - February 11, 2025

Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.

Cleartext Storage of Sensitive Information

OS command injection in the admin web console of Ivanti CSA before version 5.0.5

CVE-2024-47908 7.2 - High - February 11, 2025

OS command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Shell injection

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6

CVE-2025-22467 8.8 - High - February 11, 2025

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.

Stack Overflow

Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3

CVE-2024-13830 6.1 - Medium - February 11, 2025

Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

XSS

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update

CVE-2024-13159 7.5 - High - January 14, 2025

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Absolute Path Traversal

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update

CVE-2024-13160 7.5 - High - January 14, 2025

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Absolute Path Traversal

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update

CVE-2024-13161 7.5 - High - January 14, 2025

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Absolute Path Traversal

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update

CVE-2024-10811 7.5 - High - January 14, 2025

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication

CVE-2024-13181 9.8 - Critical - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information

CVE-2024-13180 7.5 - High - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7

CVE-2024-13179 9.8 - Critical - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3

CVE-2025-0283 7 - High - January 08, 2025

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

Memory Corruption

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3

CVE-2025-0282 9 - Critical - January 08, 2025

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

Memory Corruption

Ivanti Workspace Control: Local Privilege Escalation via Insecure Permissions

CVE-2024-8496 7.8 - High - December 11, 2024

Under specific circumstances, insecure permissions in Ivanti Workspace Control before version 10.18.40.0 allows a local authenticated attacker to achieve local privilege escalation.

Incorrect Default Permissions

Ivanti Automation Local Privilege Escalation via Insecure Permissions

CVE-2024-9845 7.8 - High - December 11, 2024

Under specific circumstances, insecure permissions in Ivanti Automation before version 2024.4.0.1 allows a local authenticated attacker to achieve local privilege escalation.

Incorrect Default Permissions

Ivanti Security Controls Local Privilege Escalation via Insecure Permissions

CVE-2024-10251 7.8 - High - December 11, 2024

Under specific circumstances, insecure permissions in Ivanti Security Controls before version 2024.4.1 allows a local authenticated attacker to achieve local privilege escalation.

Incorrect Default Permissions

Ivanti Performance Manager Local Privilege Escalation via Insecure Permissions

CVE-2024-11597 7.8 - High - December 11, 2024

Under specific circumstances, insecure permissions in Ivanti Performance Manager before version 2024.3 HF1, 2024.1 HF1, or 2023.3 HF1 allows a local authenticated attacker to achieve local privilege escalation.

Incorrect Default Permissions

Ivanti Application Control: Local Privilege Escalation via Insecure Permissions

CVE-2024-11598 7.8 - High - December 11, 2024

Under specific circumstances, insecure permissions in Ivanti Application Control before version 2024.3 HF1, 2024.1 HF2, or 2023.3 HF3 allows a local authenticated attacker to achieve local privilege escalation.

Incorrect Default Permissions

Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4

CVE-2024-9844 8.8 - High - December 10, 2024

Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.

SQL injection in the admin web console of Ivanti CSA before version 5.0.3

CVE-2024-11773 7.2 - High - December 10, 2024

SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

SQL Injection

Command injection in the admin web console of Ivanti CSA before version 5.0.3

CVE-2024-11772 7.2 - High - December 10, 2024

Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Command Injection

An authentication bypass in the admin web console of Ivanti CSA before 5.0.3

CVE-2024-11639 9.8 - Critical - December 10, 2024

An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access

Missing Authentication for Critical Function

Argument injection in Ivanti Connect Secure before version 22.7R2.4

CVE-2024-11633 7.2 - High - December 10, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution

Argument Injection

Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2

CVE-2024-11634 7.2 - High - December 10, 2024

Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)

Command Injection

Ivanti Secure Access Client Privilege Escalation Vulnerability

CVE-2024-37398 7.8 - High - November 13, 2024

Insufficient validation in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges.

Ivanti Secure Access Client: Local Privilege Escalation via Improper Bounds Checking

CVE-2024-38654 - November 13, 2024

Improper bounds checking in Ivanti Secure Access Client before version 22.7R3 allows a local authenticated attacker with admin privileges to cause a denial of service.

A race condition in Ivanti Secure Access Client before version 22.7R4

CVE-2024-29211 4.7 - Medium - November 13, 2024

A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files.

Race Condition

Ivanti Connect Secure IPsec Out-of-Bounds Write Denial of Service Vulnerability

CVE-2024-38649 - November 13, 2024

An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service.

Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection

CVE-2024-39712 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection

CVE-2024-39711 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection

CVE-2024-39710 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure and Policy Secure Privilege Escalation via Incorrect File Permissions

CVE-2024-39709 - November 13, 2024

Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.

Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection

CVE-2024-38656 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection

CVE-2024-38655 7.2 - High - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Endpoint Manager Path Traversal Vulnerability

CVE-2024-34787 7.8 - High - November 13, 2024

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-34781 7.2 - High - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-34782 7.2 - High - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-34784 7.2 - High - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-34780 7.2 - High - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.