Ivanti
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Ivanti product.
RSS Feeds for Ivanti security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Ivanti products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Ivanti Sorted by Most Security Vulnerabilities since 2018
Known Exploited Ivanti Vulnerabilities
The following Ivanti vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability |
Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library. CVE-2025-4427 Exploit Probability: 81.0% |
May 19, 2025 |
| Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability |
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library. CVE-2025-4428 Exploit Probability: 21.1% |
May 19, 2025 |
| Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability |
Ivanti Connect Secure, Policy Secure and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution. CVE-2025-22457 Exploit Probability: 26.5% |
April 4, 2025 |
| Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability |
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information. CVE-2024-13159 Exploit Probability: 94.1% |
March 10, 2025 |
| Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability |
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information. CVE-2024-13160 Exploit Probability: 93.5% |
March 10, 2025 |
| Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability |
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information. CVE-2024-13161 Exploit Probability: 92.1% |
March 10, 2025 |
| Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability |
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution. CVE-2025-0282 Exploit Probability: 93.2% |
January 8, 2025 |
| Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability |
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements. CVE-2024-9379 Exploit Probability: 83.8% |
October 9, 2024 |
| Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability |
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS. CVE-2024-9380 Exploit Probability: 83.0% |
October 9, 2024 |
| Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability |
Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code. CVE-2024-29824 Exploit Probability: 94.3% |
October 2, 2024 |
| Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability |
Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account. CVE-2024-7593 Exploit Probability: 94.4% |
September 24, 2024 |
| Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability |
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance. CVE-2024-8963 Exploit Probability: 94.3% |
September 19, 2024 |
| Ivanti Cloud Services Appliance OS Command Injection Vulnerability |
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS. CVE-2024-8190 Exploit Probability: 91.3% |
September 13, 2024 |
| Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability |
Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody). CVE-2021-44529 Exploit Probability: 94.5% |
March 25, 2024 |
| Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability |
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication. CVE-2024-21893 Exploit Probability: 94.3% |
January 31, 2024 |
| Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability |
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application. CVE-2023-35082 Exploit Probability: 94.5% |
January 18, 2024 |
| Ivanti Connect Secure and Policy Secure Command Injection Vulnerability |
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue. CVE-2024-21887 Exploit Probability: 94.4% |
January 10, 2024 |
| Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability |
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability. CVE-2023-46805 Exploit Probability: 94.4% |
January 10, 2024 |
| Ivanti Sentry Authentication Bypass Vulnerability |
Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration. CVE-2023-38035 Exploit Probability: 94.4% |
August 22, 2023 |
| Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability |
Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable). CVE-2023-35081 Exploit Probability: 93.2% |
July 31, 2023 |
Of the known exploited vulnerabilities above, 18 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 2 known exploited Ivanti vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Ivanti Vulnerabilities
Based on the current exploit probability, these Ivanti vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2023-35078 | 94.5% | Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability |
| 2 | CVE-2023-35082 | 94.5% | Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability |
| 3 | CVE-2021-44529 | 94.5% | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability |
| 4 | CVE-2023-38035 | 94.4% | Ivanti Sentry Authentication Bypass Vulnerability |
| 5 | CVE-2024-21887 | 94.4% | Ivanti Connect Secure and Policy Secure Command Injection Vulnerability |
| 6 | CVE-2024-7593 | 94.4% | Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability |
| 7 | CVE-2023-46805 | 94.4% | Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability |
| 8 | CVE-2020-15505 | 94.4% | MobileIron Core, Connector, Sentry, and RDM Remote Code Execution Vulnerability |
| 9 | CVE-2024-21893 | 94.3% | Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability |
| 10 | CVE-2024-29824 | 94.3% | Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability |
By the Year
In 2025 there have been 24 vulnerabilities in Ivanti with an average score of 7.5 out of ten. Last year, in 2024 Ivanti had 162 security vulnerabilities published. Right now, Ivanti is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.33
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 24 | 7.45 |
| 2024 | 162 | 7.78 |
| 2023 | 60 | 8.63 |
| 2022 | 14 | 7.11 |
| 2021 | 27 | 8.20 |
| 2020 | 27 | 6.77 |
| 2019 | 28 | 7.66 |
| 2018 | 9 | 7.40 |
It may take a day or so for new Ivanti vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Ivanti Security Vulnerabilities
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior
CVE-2025-4427
7.5 - High
- May 13, 2025
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.
Authentication Bypass Using an Alternate Path or Channel
Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms
CVE-2025-4428
8.8 - High
- May 13, 2025
Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
Code Injection
DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22458
7.8 - High
- April 08, 2025
DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System.
DLL preloading
Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22459
4.8 - Medium
- April 08, 2025
Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and servers.
Improper Certificate Validation
SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22461
7.2 - High
- April 08, 2025
SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.
SQL Injection
An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22464
6.1 - Medium
- April 08, 2025
An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition.
Untrusted Pointer Dereference
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22465
6.1 - Medium
- April 08, 2025
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required.
XSS
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
CVE-2025-22466
9.6 - Critical
- April 08, 2025
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
XSS
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2
CVE-2025-22457
9.8 - Critical
- April 03, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
Memory Corruption
Insufficient permissions in Ivanti Secure Access Client before version 22.8R1
CVE-2024-13813
7.1 - High
- February 11, 2025
Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files.
Incorrect Permission Assignment for Critical Resource
A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3
CVE-2024-13842
4.4 - Medium
- February 11, 2025
A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
Use of Hard-coded Cryptographic Key
Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3
CVE-2024-13843
4.4 - Medium
- February 11, 2025
Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
Cleartext Storage of Sensitive Information
OS command injection in the admin web console of Ivanti CSA before version 5.0.5
CVE-2024-47908
7.2 - High
- February 11, 2025
OS command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6
CVE-2025-22467
8.8 - High
- February 11, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.
Stack Overflow
Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3
CVE-2024-13830
6.1 - Medium
- February 11, 2025
Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
XSS
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13159
7.5 - High
- January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Absolute Path Traversal
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13160
7.5 - High
- January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Absolute Path Traversal
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-13161
7.5 - High
- January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Absolute Path Traversal
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update
CVE-2024-10811
7.5 - High
- January 14, 2025
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication
CVE-2024-13181
9.8 - Critical
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information
CVE-2024-13180
7.5 - High
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.7
CVE-2024-13179
9.8 - Critical
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3
CVE-2025-0283
7 - High
- January 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
Memory Corruption
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3
CVE-2025-0282
9 - Critical
- January 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Memory Corruption
Ivanti Workspace Control: Local Privilege Escalation via Insecure Permissions
CVE-2024-8496
7.8 - High
- December 11, 2024
Under specific circumstances, insecure permissions in Ivanti Workspace Control before version 10.18.40.0 allows a local authenticated attacker to achieve local privilege escalation.
Incorrect Default Permissions
Ivanti Automation Local Privilege Escalation via Insecure Permissions
CVE-2024-9845
7.8 - High
- December 11, 2024
Under specific circumstances, insecure permissions in Ivanti Automation before version 2024.4.0.1 allows a local authenticated attacker to achieve local privilege escalation.
Incorrect Default Permissions
Ivanti Security Controls Local Privilege Escalation via Insecure Permissions
CVE-2024-10251
7.8 - High
- December 11, 2024
Under specific circumstances, insecure permissions in Ivanti Security Controls before version 2024.4.1 allows a local authenticated attacker to achieve local privilege escalation.
Incorrect Default Permissions
Ivanti Performance Manager Local Privilege Escalation via Insecure Permissions
CVE-2024-11597
7.8 - High
- December 11, 2024
Under specific circumstances, insecure permissions in Ivanti Performance Manager before version 2024.3 HF1, 2024.1 HF1, or 2023.3 HF1 allows a local authenticated attacker to achieve local privilege escalation.
Incorrect Default Permissions
Ivanti Application Control: Local Privilege Escalation via Insecure Permissions
CVE-2024-11598
7.8 - High
- December 11, 2024
Under specific circumstances, insecure permissions in Ivanti Application Control before version 2024.3 HF1, 2024.1 HF2, or 2023.3 HF3 allows a local authenticated attacker to achieve local privilege escalation.
Incorrect Default Permissions
Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4
CVE-2024-9844
8.8 - High
- December 10, 2024
Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.
SQL injection in the admin web console of Ivanti CSA before version 5.0.3
CVE-2024-11773
7.2 - High
- December 10, 2024
SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
SQL Injection
Command injection in the admin web console of Ivanti CSA before version 5.0.3
CVE-2024-11772
7.2 - High
- December 10, 2024
Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Command Injection
An authentication bypass in the admin web console of Ivanti CSA before 5.0.3
CVE-2024-11639
9.8 - Critical
- December 10, 2024
An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
Missing Authentication for Critical Function
Argument injection in Ivanti Connect Secure before version 22.7R2.4
CVE-2024-11633
7.2 - High
- December 10, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
Argument Injection
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2
CVE-2024-11634
7.2 - High
- December 10, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
Command Injection
Ivanti Secure Access Client Privilege Escalation Vulnerability
CVE-2024-37398
7.8 - High
- November 13, 2024
Insufficient validation in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges.
Ivanti Secure Access Client: Local Privilege Escalation via Improper Bounds Checking
CVE-2024-38654
- November 13, 2024
Improper bounds checking in Ivanti Secure Access Client before version 22.7R3 allows a local authenticated attacker with admin privileges to cause a denial of service.
A race condition in Ivanti Secure Access Client before version 22.7R4
CVE-2024-29211
4.7 - Medium
- November 13, 2024
A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files.
Race Condition
Ivanti Connect Secure IPsec Out-of-Bounds Write Denial of Service Vulnerability
CVE-2024-38649
- November 13, 2024
An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-39712
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection
CVE-2024-39711
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection
CVE-2024-39710
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Privilege Escalation via Incorrect File Permissions
CVE-2024-39709
- November 13, 2024
Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-38656
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-38655
7.2 - High
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager Path Traversal Vulnerability
CVE-2024-34787
7.8 - High
- November 13, 2024
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34781
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34782
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34784
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Endpoint Manager SQL Injection Vulnerability
CVE-2024-34780
7.2 - High
- November 13, 2024
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.