Ivanti Ivanti

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Ivanti product.

Products by Ivanti Sorted by Most Security Vulnerabilities since 2018

Ivanti Connect Secure97 vulnerabilities

Ivanti Avalanche70 vulnerabilities

Ivanti Endpoint Manager56 vulnerabilities

Ivanti Policy Secure39 vulnerabilities

Ivanti Workspace Control19 vulnerabilities

Ivanti Endpoint Manager Mobile11 vulnerabilities

Ivanti Secure Access Client10 vulnerabilities

Ivanti Neurons For Itsm3 vulnerabilities

Ivanti Automation2 vulnerabilities

Ivanti Zero Trust Access1 vulnerability

Ivanti Standalone Sentry1 vulnerability

Ivanti Security Controls1 vulnerability

Ivanti Docswork1 vulnerability

Ivanti Mobileiron Sentry1 vulnerability

Known Exploited Ivanti Vulnerabilities

The following Ivanti vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
CVE-2025-0282 Exploit Probability: 15.3%
January 8, 2025
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
CVE-2024-9380 Exploit Probability: 4.3%
October 9, 2024
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
CVE-2024-9379 Exploit Probability: 0.6%
October 9, 2024
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code.
CVE-2024-29824 Exploit Probability: 31.3%
October 2, 2024
Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.
CVE-2024-7593 Exploit Probability: 97.3%
September 24, 2024
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
CVE-2024-8963 Exploit Probability: 96.8%
September 19, 2024
Ivanti Cloud Services Appliance OS Command Injection Vulnerability Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
CVE-2024-8190 Exploit Probability: 11.3%
September 13, 2024
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody).
CVE-2021-44529 Exploit Probability: 97.4%
March 25, 2024
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
CVE-2024-21893 Exploit Probability: 96.0%
January 31, 2024
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.
CVE-2023-35082 Exploit Probability: 96.0%
January 18, 2024
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
CVE-2023-46805 Exploit Probability: 96.7%
January 10, 2024
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
CVE-2024-21887 Exploit Probability: 97.3%
January 10, 2024
Ivanti Sentry Authentication Bypass Vulnerability Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
CVE-2023-38035 Exploit Probability: 97.2%
August 22, 2023
Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable).
CVE-2023-35081 Exploit Probability: 77.3%
July 31, 2023
Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability Ivanti Endpoint Manager Mobile (EPMM, previously branded MobileIron Core) contains an authentication bypass vulnerability that allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further c
CVE-2023-35078 Exploit Probability: 96.9%
July 25, 2023
MobileIron Core, Connector, Sentry, and RDM Remote Code Execution Vulnerability A remote code execution vulnerability that allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15505 Exploit Probability: 97.5%
November 3, 2021

Of the known exploited vulnerabilities above, 10 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 4 known exploited Ivanti vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 5 vulnerabilities in Ivanti with an average score of 8.6 out of ten. Last year, in 2024 Ivanti had 122 security vulnerabilities published. Right now, Ivanti is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.90.




Year Vulnerabilities Average Score
2025 5 8.62
2024 122 7.72
2023 57 8.62
2022 14 7.11
2021 27 8.20
2020 26 6.76
2019 28 7.66
2018 9 7.40

It may take a day or so for new Ivanti vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ivanti Security Vulnerabilities

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication

CVE-2024-13181 9.8 - Critical - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information

CVE-2024-13180 7.5 - High - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7

CVE-2024-13179 9.8 - Critical - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3

CVE-2025-0283 7 - High - January 08, 2025

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

Memory Corruption

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3

CVE-2025-0282 9 - Critical - January 08, 2025

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

Memory Corruption

Ivanti Workspace Control: Local Privilege Escalation via Insecure Permissions

CVE-2024-8496 7.8 - High - December 11, 2024

Under specific circumstances, insecure permissions in Ivanti Workspace Control before version 10.18.40.0 allows a local authenticated attacker to achieve local privilege escalation.

Incorrect Default Permissions

Ivanti Automation Local Privilege Escalation via Insecure Permissions

CVE-2024-9845 7.8 - High - December 11, 2024

Under specific circumstances, insecure permissions in Ivanti Automation before version 2024.4.0.1 allows a local authenticated attacker to achieve local privilege escalation.

Incorrect Default Permissions

Ivanti Security Controls Local Privilege Escalation via Insecure Permissions

CVE-2024-10251 7.8 - High - December 11, 2024

Under specific circumstances, insecure permissions in Ivanti Security Controls before version 2024.4.1 allows a local authenticated attacker to achieve local privilege escalation.

Incorrect Default Permissions

Argument injection in Ivanti Connect Secure before version 22.7R2.4

CVE-2024-11633 7.2 - High - December 10, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution

Argument Injection

Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2

CVE-2024-11634 7.2 - High - December 10, 2024

Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)

Command Injection

An authentication bypass in the admin web console of Ivanti CSA before 5.0.3

CVE-2024-11639 9.8 - Critical - December 10, 2024

An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access

Missing Authentication for Critical Function

Command injection in the admin web console of Ivanti CSA before version 5.0.3

CVE-2024-11772 7.2 - High - December 10, 2024

Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Command Injection

Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4

CVE-2024-9844 8.8 - High - December 10, 2024

Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.

SQL injection in the admin web console of Ivanti CSA before version 5.0.3

CVE-2024-11773 7.2 - High - December 10, 2024

SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

SQL Injection

Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection

CVE-2024-39712 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection

CVE-2024-39711 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection

CVE-2024-39710 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure and Policy Secure Privilege Escalation via Incorrect File Permissions

CVE-2024-39709 - November 13, 2024

Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.

Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection

CVE-2024-38656 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection

CVE-2024-38655 - November 13, 2024

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Connect Secure IPsec Out-of-Bounds Write Denial of Service Vulnerability

CVE-2024-38649 - November 13, 2024

An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service.

Ivanti Connect Secure Out-of-Bounds Read Denial of Service Vulnerability

CVE-2024-37400 - November 13, 2024

An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-37376 - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Endpoint Manager Path Traversal Vulnerability

CVE-2024-34787 - November 13, 2024

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-34784 - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-34782 - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-34781 - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-34780 - November 13, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

A race condition in Ivanti Secure Access Client before version 22.7R4

CVE-2024-29211 4.7 - Medium - November 13, 2024

A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files.

Race Condition

Ivanti Secure Access Client Privilege Escalation Vulnerability

CVE-2024-37398 7.8 - High - November 13, 2024

Insufficient validation in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges.

Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1

CVE-2024-11004 6.1 - Medium - November 12, 2024

Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

XSS

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx)

CVE-2024-11005 7.2 - High - November 12, 2024

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Shell injection

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx)

CVE-2024-11006 7.2 - High - November 12, 2024

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Shell injection

Incorrect permissions in Ivanti Secure Access Client before 22.7R4

CVE-2024-7571 7.8 - High - November 12, 2024

Incorrect permissions in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges.

Improper authorization in Ivanti Secure Access Client before version 22.7R3

CVE-2024-8539 7.1 - High - November 12, 2024

Improper authorization in Ivanti Secure Access Client before version 22.7R3 allows a local authenticated attacker to modify sensitive configuration files.

Incorrect permissions in Ivanti Secure Access Client before version 22.7R4

CVE-2024-9842 3.3 - Low - November 12, 2024

Incorrect permissions in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to create arbitrary folders.

A buffer over-read in Ivanti Secure Access Client before 22.7R4

CVE-2024-9843 5.5 - Medium - November 12, 2024

A buffer over-read in Ivanti Secure Access Client before 22.7R4 allows a local unauthenticated attacker to cause a denial of service.

Out-of-bounds Read

A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1

CVE-2024-8495 7.5 - High - November 12, 2024

A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2

CVE-2024-9420 8.8 - High - November 12, 2024

A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution

Dangling pointer

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx)

CVE-2024-11007 7.2 - High - November 12, 2024

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Shell injection

Ivanti Avalanche Out-of-Bounds Read Information Disclosure Vulnerability

CVE-2024-50331 7.5 - High - November 12, 2024

An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.

Out-of-bounds Read

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-50330 - November 12, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.

Ivanti Endpoint Manager Path Traversal Vulnerability

CVE-2024-50329 8.8 - High - November 12, 2024

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Directory traversal

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-50328 7.2 - High - November 12, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-50327 7.2 - High - November 12, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-50326 7.2 - High - November 12, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

Ivanti Endpoint Manager: Path Traversal Vulnerability in File Upload Component

CVE-2024-50324 7.2 - High - November 12, 2024

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Directory traversal

Ivanti Endpoint Manager SQL Injection Vulnerability

CVE-2024-50323 7.8 - High - November 12, 2024

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

SQL Injection

Ivanti Endpoint Manager Path Traversal Vulnerability

CVE-2024-50322 7.8 - High - November 12, 2024

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

Directory traversal

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50321 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50320 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50319 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability

CVE-2024-50318 7.5 - High - November 12, 2024

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability

CVE-2024-50317 7.5 - High - November 12, 2024

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

Ivanti Connect Secure and Policy Secure Stack-Based Buffer Overflow Vulnerability

CVE-2024-47909 4.9 - Medium - November 12, 2024

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.

Memory Corruption

Ivanti Connect Secure IPsec Stack-Based Buffer Overflow Vulnerability

CVE-2024-47907 7.5 - High - November 12, 2024

A stack-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.

Memory Corruption

Ivanti Connect Secure and Policy Secure Privilege Escalation Vulnerability

CVE-2024-47906 7.8 - High - November 12, 2024

Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.

Ivanti Connect Secure and Policy Secure Stack-Based Buffer Overflow Vulnerability

CVE-2024-47905 4.9 - Medium - November 12, 2024

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.

Memory Corruption

Insecure permissions in Ivanti EPMM before 12.1.0.4

CVE-2024-7612 7.8 - High - October 08, 2024

Insecure permissions in Ivanti EPMM before 12.1.0.4 allow a local authenticated attacker to modify sensitive application components.

Incorrect Permission Assignment for Critical Resource

An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2

CVE-2024-9380 7.2 - High - October 08, 2024

An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.

Shell injection

SQL injection in the admin web console of Ivanti CSA before version 5.0.2

CVE-2024-9379 7.2 - High - October 08, 2024

SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

SQL Injection

Path traversal in Ivanti CSA before version 5.0.2

CVE-2024-9381 7.2 - High - October 08, 2024

Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47011 7.5 - High - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47010 9.8 - Critical - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47009 9.8 - Critical - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

Server-side request forgery in Ivanti Avalanche before version 6.4.5

CVE-2024-47008 7.5 - High - October 08, 2024

Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.

SSRF

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5

CVE-2024-47007 7.5 - High - October 08, 2024

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

Path Traversal in the Ivanti CSA before 4.6 Patch 519

CVE-2024-8963 9.1 - Critical - September 19, 2024

Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

Directory traversal

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-34779 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-34783 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-34785 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-29847 9.8 - Critical - September 12, 2024

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

Marshaling, Unmarshaling

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-32840 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-32842 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-32843 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-32845 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-32846 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-32848 7.2 - High - September 12, 2024

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

SQL Injection

Insufficient server-side controls in the management console of Ivanti Workspace Control version 10.18.0.0 and below

CVE-2024-44106 7.8 - High - September 10, 2024

Insufficient server-side controls in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.

DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below

CVE-2024-44107 7.8 - High - September 10, 2024

DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges and achieve arbitrary code execution.

DLL preloading

An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below

CVE-2024-8012 7.8 - High - September 10, 2024

An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.

Missing Authentication for Critical Function

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before

CVE-2024-8190 7.2 - High - September 10, 2024

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

Shell injection

SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-8191 9.8 - Critical - September 10, 2024

SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

SQL Injection

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-8320 5.3 - Medium - September 10, 2024

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.

Missing Authentication for Critical Function

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-8321 8.6 - High - September 10, 2024

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.

Missing Authentication for Critical Function

Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-8322 8.8 - High - September 10, 2024

Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.

An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update

CVE-2024-8441 6.7 - Medium - September 10, 2024

An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM.

DLL preloading

Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control version 10.18.0.0 and below

CVE-2024-44105 7.8 - High - September 10, 2024

Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to obtain OS credentials.

Cleartext Transmission of Sensitive Information

An incorrectly implemented authentication scheme

CVE-2024-44104 7.8 - High - September 10, 2024

An incorrectly implemented authentication scheme that is subjected to a spoofing attack in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.

Authentication Bypass by Spoofing

DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below

CVE-2024-44103 7.8 - High - September 10, 2024

DLL hijacking in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.

Untrusted Path

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1

CVE-2024-38653 7.5 - High - August 14, 2024

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

XXE

Path traversal in the skin management component of Ivanti Avalanche 6.3.1

CVE-2024-38652 9.1 - Critical - August 14, 2024

Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.

Directory traversal

A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1

CVE-2024-37399 7.5 - High - August 14, 2024

A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

NULL Pointer Dereference

Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1

CVE-2024-37373 7.2 - High - August 14, 2024

Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.

An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1

CVE-2024-36136 7.5 - High - August 14, 2024

An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

off-by-five

An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier

CVE-2024-7569 9.8 - Critical - August 13, 2024

An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.

Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token

CVE-2024-7570 8.1 - High - August 13, 2024

Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user.

Improper Certificate Validation

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2

CVE-2024-7593 9.8 - Critical - August 13, 2024

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

authentification

Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability

CVE-2024-37403 5.5 - Medium - August 07, 2024

Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root.

Directory traversal

An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1

CVE-2024-36130 9.8 - Critical - August 07, 2024

An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance.

authentification

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.