Ivanti
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Ivanti product.
Products by Ivanti Sorted by Most Security Vulnerabilities since 2018
Known Exploited Ivanti Vulnerabilities
The following Ivanti vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability |
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution. CVE-2025-0282 Exploit Probability: 15.3% |
January 8, 2025 |
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability |
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS. CVE-2024-9380 Exploit Probability: 4.3% |
October 9, 2024 |
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability |
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements. CVE-2024-9379 Exploit Probability: 0.6% |
October 9, 2024 |
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability |
Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code. CVE-2024-29824 Exploit Probability: 31.3% |
October 2, 2024 |
Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability |
Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account. CVE-2024-7593 Exploit Probability: 97.3% |
September 24, 2024 |
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability |
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance. CVE-2024-8963 Exploit Probability: 96.8% |
September 19, 2024 |
Ivanti Cloud Services Appliance OS Command Injection Vulnerability |
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS. CVE-2024-8190 Exploit Probability: 11.3% |
September 13, 2024 |
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability |
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody). CVE-2021-44529 Exploit Probability: 97.4% |
March 25, 2024 |
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability |
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication. CVE-2024-21893 Exploit Probability: 96.0% |
January 31, 2024 |
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability |
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application. CVE-2023-35082 Exploit Probability: 96.0% |
January 18, 2024 |
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability |
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability. CVE-2023-46805 Exploit Probability: 96.7% |
January 10, 2024 |
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability |
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue. CVE-2024-21887 Exploit Probability: 97.3% |
January 10, 2024 |
Ivanti Sentry Authentication Bypass Vulnerability |
Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration. CVE-2023-38035 Exploit Probability: 97.2% |
August 22, 2023 |
Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability |
Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable). CVE-2023-35081 Exploit Probability: 77.3% |
July 31, 2023 |
Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability |
Ivanti Endpoint Manager Mobile (EPMM, previously branded MobileIron Core) contains an authentication bypass vulnerability that allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further c CVE-2023-35078 Exploit Probability: 96.9% |
July 25, 2023 |
MobileIron Core, Connector, Sentry, and RDM Remote Code Execution Vulnerability |
A remote code execution vulnerability that allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2020-15505 Exploit Probability: 97.5% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 10 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 4 known exploited Ivanti vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2025 there have been 5 vulnerabilities in Ivanti with an average score of 8.6 out of ten. Last year, in 2024 Ivanti had 122 security vulnerabilities published. Right now, Ivanti is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.90.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 5 | 8.62 |
2024 | 122 | 7.72 |
2023 | 57 | 8.62 |
2022 | 14 | 7.11 |
2021 | 27 | 8.20 |
2020 | 26 | 6.76 |
2019 | 28 | 7.66 |
2018 | 9 | 7.40 |
It may take a day or so for new Ivanti vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Ivanti Security Vulnerabilities
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication
CVE-2024-13181
9.8 - Critical
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information
CVE-2024-13180
7.5 - High
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.7
CVE-2024-13179
9.8 - Critical
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3
CVE-2025-0283
7 - High
- January 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
Memory Corruption
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3
CVE-2025-0282
9 - Critical
- January 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Memory Corruption
Ivanti Workspace Control: Local Privilege Escalation via Insecure Permissions
CVE-2024-8496
7.8 - High
- December 11, 2024
Under specific circumstances, insecure permissions in Ivanti Workspace Control before version 10.18.40.0 allows a local authenticated attacker to achieve local privilege escalation.
Incorrect Default Permissions
Ivanti Automation Local Privilege Escalation via Insecure Permissions
CVE-2024-9845
7.8 - High
- December 11, 2024
Under specific circumstances, insecure permissions in Ivanti Automation before version 2024.4.0.1 allows a local authenticated attacker to achieve local privilege escalation.
Incorrect Default Permissions
Ivanti Security Controls Local Privilege Escalation via Insecure Permissions
CVE-2024-10251
7.8 - High
- December 11, 2024
Under specific circumstances, insecure permissions in Ivanti Security Controls before version 2024.4.1 allows a local authenticated attacker to achieve local privilege escalation.
Incorrect Default Permissions
Argument injection in Ivanti Connect Secure before version 22.7R2.4
CVE-2024-11633
7.2 - High
- December 10, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
Argument Injection
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2
CVE-2024-11634
7.2 - High
- December 10, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
Command Injection
An authentication bypass in the admin web console of Ivanti CSA before 5.0.3
CVE-2024-11639
9.8 - Critical
- December 10, 2024
An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
Missing Authentication for Critical Function
Command injection in the admin web console of Ivanti CSA before version 5.0.3
CVE-2024-11772
7.2 - High
- December 10, 2024
Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Command Injection
Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4
CVE-2024-9844
8.8 - High
- December 10, 2024
Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.
SQL injection in the admin web console of Ivanti CSA before version 5.0.3
CVE-2024-11773
7.2 - High
- December 10, 2024
SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
SQL Injection
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-39712
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection
CVE-2024-39711
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection
CVE-2024-39710
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Privilege Escalation via Incorrect File Permissions
CVE-2024-39709
- November 13, 2024
Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-38656
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-38655
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure IPsec Out-of-Bounds Write Denial of Service Vulnerability
CVE-2024-38649
- November 13, 2024
An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service.
Ivanti Connect Secure Out-of-Bounds Read Denial of Service Vulnerability
CVE-2024-37400
- November 13, 2024
An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-37376
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager Path Traversal Vulnerability
CVE-2024-34787
- November 13, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34784
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34782
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34781
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34780
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
A race condition in Ivanti Secure Access Client before version 22.7R4
CVE-2024-29211
4.7 - Medium
- November 13, 2024
A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files.
Race Condition
Ivanti Secure Access Client Privilege Escalation Vulnerability
CVE-2024-37398
7.8 - High
- November 13, 2024
Insufficient validation in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges.
Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1
CVE-2024-11004
6.1 - Medium
- November 12, 2024
Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
XSS
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx)
CVE-2024-11005
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx)
CVE-2024-11006
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
Incorrect permissions in Ivanti Secure Access Client before 22.7R4
CVE-2024-7571
7.8 - High
- November 12, 2024
Incorrect permissions in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges.
Improper authorization in Ivanti Secure Access Client before version 22.7R3
CVE-2024-8539
7.1 - High
- November 12, 2024
Improper authorization in Ivanti Secure Access Client before version 22.7R3 allows a local authenticated attacker to modify sensitive configuration files.
Incorrect permissions in Ivanti Secure Access Client before version 22.7R4
CVE-2024-9842
3.3 - Low
- November 12, 2024
Incorrect permissions in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to create arbitrary folders.
A buffer over-read in Ivanti Secure Access Client before 22.7R4
CVE-2024-9843
5.5 - Medium
- November 12, 2024
A buffer over-read in Ivanti Secure Access Client before 22.7R4 allows a local unauthenticated attacker to cause a denial of service.
Out-of-bounds Read
A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1
CVE-2024-8495
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9
and Ivanti Policy Secure before version 22.7R1.2
CVE-2024-9420
8.8 - High
- November 12, 2024
A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution
Dangling pointer
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx)
CVE-2024-11007
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
Ivanti Avalanche Out-of-Bounds Read Information Disclosure Vulnerability
CVE-2024-50331
7.5 - High
- November 12, 2024
An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.
Out-of-bounds Read
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50330
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.
Ivanti Endpoint Manager Path Traversal Vulnerability
CVE-2024-50329
8.8 - High
- November 12, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
Directory traversal
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50328
7.2 - High
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50327
7.2 - High
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50326
7.2 - High
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Ivanti Endpoint Manager: Path Traversal Vulnerability in File Upload Component
CVE-2024-50324
7.2 - High
- November 12, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Directory traversal
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-50323
7.8 - High
- November 12, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
SQL Injection
Ivanti Endpoint Manager Path Traversal Vulnerability
CVE-2024-50322
7.8 - High
- November 12, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
Directory traversal
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50321
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50320
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50319
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability
CVE-2024-50318
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability
CVE-2024-50317
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
Ivanti Connect Secure and Policy Secure Stack-Based Buffer Overflow Vulnerability
CVE-2024-47909
4.9 - Medium
- November 12, 2024
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
Memory Corruption
Ivanti Connect Secure IPsec Stack-Based Buffer Overflow Vulnerability
CVE-2024-47907
7.5 - High
- November 12, 2024
A stack-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
Memory Corruption
Ivanti Connect Secure and Policy Secure Privilege Escalation Vulnerability
CVE-2024-47906
7.8 - High
- November 12, 2024
Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.
Ivanti Connect Secure and Policy Secure Stack-Based Buffer Overflow Vulnerability
CVE-2024-47905
4.9 - Medium
- November 12, 2024
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
Memory Corruption
Insecure permissions in Ivanti EPMM before 12.1.0.4
CVE-2024-7612
7.8 - High
- October 08, 2024
Insecure permissions in Ivanti EPMM before 12.1.0.4 allow a local authenticated attacker to modify sensitive application components.
Incorrect Permission Assignment for Critical Resource
An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2
CVE-2024-9380
7.2 - High
- October 08, 2024
An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.
Shell injection
SQL injection in the admin web console of Ivanti CSA before version 5.0.2
CVE-2024-9379
7.2 - High
- October 08, 2024
SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
SQL Injection
Path traversal in Ivanti CSA before version 5.0.2
CVE-2024-9381
7.2 - High
- October 08, 2024
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.5
CVE-2024-47011
7.5 - High
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.5
CVE-2024-47010
9.8 - Critical
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.5
CVE-2024-47009
9.8 - Critical
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
Server-side request forgery in Ivanti Avalanche before version 6.4.5
CVE-2024-47008
7.5 - High
- October 08, 2024
Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.
SSRF
A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5
CVE-2024-47007
7.5 - High
- October 08, 2024
A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
Path Traversal in the Ivanti CSA before 4.6 Patch 519
CVE-2024-8963
9.1 - Critical
- September 19, 2024
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Directory traversal
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-34779
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-34783
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-34785
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-29847
9.8 - Critical
- September 12, 2024
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
Marshaling, Unmarshaling
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32840
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32842
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32843
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32845
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32846
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-32848
7.2 - High
- September 12, 2024
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
SQL Injection
Insufficient server-side controls in the management console of Ivanti Workspace Control version 10.18.0.0 and below
CVE-2024-44106
7.8 - High
- September 10, 2024
Insufficient server-side controls in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.
DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below
CVE-2024-44107
7.8 - High
- September 10, 2024
DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges and achieve arbitrary code execution.
DLL preloading
An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below
CVE-2024-8012
7.8 - High
- September 10, 2024
An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.
Missing Authentication for Critical Function
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before
CVE-2024-8190
7.2 - High
- September 10, 2024
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
Shell injection
SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-8191
9.8 - Critical
- September 10, 2024
SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
SQL Injection
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-8320
5.3 - Medium
- September 10, 2024
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.
Missing Authentication for Critical Function
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-8321
8.6 - High
- September 10, 2024
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.
Missing Authentication for Critical Function
Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-8322
8.8 - High
- September 10, 2024
Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.
An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update
CVE-2024-8441
6.7 - Medium
- September 10, 2024
An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM.
DLL preloading
Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control version 10.18.0.0 and below
CVE-2024-44105
7.8 - High
- September 10, 2024
Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to obtain OS credentials.
Cleartext Transmission of Sensitive Information
An incorrectly implemented authentication scheme
CVE-2024-44104
7.8 - High
- September 10, 2024
An incorrectly implemented authentication scheme that is subjected to a spoofing attack in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.
Authentication Bypass by Spoofing
DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below
CVE-2024-44103
7.8 - High
- September 10, 2024
DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.
Untrusted Path
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1
CVE-2024-38653
7.5 - High
- August 14, 2024
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
XXE
Path traversal in the skin management component of Ivanti Avalanche 6.3.1
CVE-2024-38652
9.1 - Critical
- August 14, 2024
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
Directory traversal
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1
CVE-2024-37399
7.5 - High
- August 14, 2024
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
NULL Pointer Dereference
Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1
CVE-2024-37373
7.2 - High
- August 14, 2024
Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.
An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1
CVE-2024-36136
7.5 - High
- August 14, 2024
An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
off-by-five
An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier
CVE-2024-7569
9.8 - Critical
- August 13, 2024
An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token
CVE-2024-7570
8.1 - High
- August 13, 2024
Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user.
Improper Certificate Validation
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2
CVE-2024-7593
9.8 - Critical
- August 13, 2024
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
authentification
Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability
CVE-2024-37403
5.5 - Medium
- August 07, 2024
Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root.
Directory traversal
An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1
CVE-2024-36130
9.8 - Critical
- August 07, 2024
An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance.
authentification