Ivanti Connect Secure
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Ivanti Connect Secure.
By the Year
In 2026 there have been 0 vulnerabilities in Ivanti Connect Secure. Last year, in 2025 Connect Secure had 20 security vulnerabilities published. Right now, Connect Secure is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 20 | 5.82 |
| 2024 | 34 | 7.31 |
| 2023 | 3 | 7.50 |
| 2022 | 4 | 6.90 |
| 2021 | 12 | 7.71 |
| 2020 | 17 | 7.20 |
| 2019 | 20 | 7.59 |
| 2018 | 2 | 0.00 |
It may take a day or so for new Connect Secure vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Ivanti Connect Secure Security Vulnerabilities
Ivanti Connect Secure & Policy Secure Buffer Over-Read DoS (CVE-2025-5456)
CVE-2025-5456
- August 12, 2025
A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service. CWE-125
Out-of-bounds Read
Ivanti Connect Secure DoS via Heap Buffer Overflow before 22.8R2
CVE-2025-5462
- August 12, 2025
A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service.
Heap-based Buffer Overflow
XEE-induced DoS in Ivanti Connect Secure pre-22.7R2.8 & related products
CVE-2025-5466
- August 12, 2025
XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service
XEE
CVE-2025-5468 Local Auth File Read via Symlink in Ivanti Connect Secure <=22.8
CVE-2025-5468
- August 12, 2025
Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk.
Symlink following
SSRF in Ivanti Connect Secure <22.7R2.8 / Ivanti Policy Secure <22.7R1.5
CVE-2025-0292
4.9 - Medium
- July 08, 2025
SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services.
SSRF
Ivanti Connect Secure <22.7R2.8: Local Auth Can Log Sensitive Info
CVE-2025-5464
5.5 - Medium
- July 08, 2025
Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information.
Insertion of Sensitive Information into Log File
CVE-2025-0293 CLRF Injection in Ivanti Connect Secure <22.7R2.8 writes config
CVE-2025-0293
2.7 - Low
- July 08, 2025
CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk.
CRLF Injection
Improper ATC in Ivanti Connect Secure (<22.7R2.8) & Policy Secure (<22.7R1.5)
CVE-2025-5450
2.7 - Low
- July 08, 2025
Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted.
Client-Side Enforcement of Server-Side Security
Stack Overflow in Ivanti Connect Secure<22.7R2.8 & Policy Secure<22.7R1.5, Admin DoS
CVE-2025-5451
- July 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service.
Memory Corruption
Sensitive info in logs in Ivanti Connect Secure <22.7R2.8 (CVE-2025-5463)
CVE-2025-5463
- July 08, 2025
Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information.
Insertion of Sensitive Information into Log File
Buf overflow Ivanti Connect Secure <22.7, Policy Secure <22.7 ZTA Gateways <22.8
CVE-2025-22457
9 - Critical
- April 03, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
Stack Overflow
Arbitrary File Write via External Filename Control in Ivanti Connect Secure <22.7R2.4
CVE-2024-38657
4.9 - Medium
- February 21, 2025
External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.
Auth File Read via External File Name Control in Ivanti ConnSec <22.7R2.6
CVE-2024-12058
4.9 - Medium
- February 11, 2025
External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.
External Control of File Name or Path
Ivanti Connect/Policy Secure Code Injection RCE (pre-22.7R2.4/22.7R1.3)
CVE-2024-10644
7.2 - High
- February 11, 2025
Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Code Injection
Ivanti Connect Secure <=22.7R2.3 Hardcoded Encryption Key Exploitable by Admins
CVE-2024-13842
4.4 - Medium
- February 11, 2025
A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
Use of Hard-coded Cryptographic Key
Cleartext Storage in Ivanti ConnectSecure <22.7R2.6 / PolicySecure <22.7R1.3
CVE-2024-13843
4.4 - Medium
- February 11, 2025
Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
Cleartext Storage of Sensitive Information
Buffer Overflow in Ivanti Connect Secure <22.7R2.6 RCE
CVE-2025-22467
8.8 - High
- February 11, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.
Stack Overflow
Ivanti Connect Secure & Policy Secure XSS <22.7R2.6/R1.3
CVE-2024-13830
6.1 - Medium
- February 11, 2025
Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
XSS
Ivanti Connect Secure <=22.7R2.5 Buffer Overflow RCE
CVE-2025-0282
9 - Critical
- January 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Stack Overflow
Local Auth Priv Esc via Stack Overflow in Ivanti Connect Secure <22.7R2.5
CVE-2025-0283
7 - High
- January 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
Memory Corruption
Heap Buffer Overflow in Ipsec of Ivanti Connect Secure <22.7R2.3 (DoS)
CVE-2024-37377
- December 12, 2024
A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
IPsec OOB Read in Ivanti Connect Secure v<22.7R2.1 Denies Service
CVE-2024-37401
- December 12, 2024
An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service.
Argument injection RCE in Ivanti Connect Secure <22.7R2.4
CVE-2024-11633
7.2 - High
- December 10, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
Argument Injection
Command Injection in Ivanti Connect Secure <22.7R2.3 & Policy Secure <22.7R1.2
CVE-2024-11634
7.2 - High
- December 10, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
Command Injection
Ivanti Connect Secure <22.7R2.4: Authenticated Remote Bypass of Secure AppMgr Controls
CVE-2024-9844
8.8 - High
- December 10, 2024
Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-39712
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection
CVE-2024-39711
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection
CVE-2024-39710
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Privilege Escalation via Incorrect File Permissions
CVE-2024-39709
- November 13, 2024
Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-38656
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure Out-of-Bounds Read Denial of Service Vulnerability
CVE-2024-37400
- November 13, 2024
An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service.
Ivanti Connect Secure IPsec Out-of-Bounds Write Denial of Service Vulnerability
CVE-2024-38649
7.5 - High
- November 13, 2024
An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-38655
7.2 - High
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
XSS in Ivanti Connect Secure <22.7R2.1 & Policy Secure <22.7R1.1 Enables Admin Priv Esc
CVE-2024-11004
6.1 - Medium
- November 12, 2024
Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
XSS
Command Injection in Ivanti Connect Secure/Policy Secure <22.7 - RCE
CVE-2024-11005
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
Ivanti Connect Secure <22.7R2.1 Cmd Inject RCE
CVE-2024-11006
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
Ivanti Connect Secure and Policy Secure Stack-Based Buffer Overflow Vulnerability
CVE-2024-47909
4.9 - Medium
- November 12, 2024
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
Memory Corruption
Ivanti Connect Secure IPsec Stack-Based Buffer Overflow Vulnerability
CVE-2024-47907
7.5 - High
- November 12, 2024
A stack-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
Memory Corruption
Ivanti Connect Secure and Policy Secure Privilege Escalation Vulnerability
CVE-2024-47906
7.8 - High
- November 12, 2024
Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.
Ivanti Connect Secure and Policy Secure Stack-Based Buffer Overflow Vulnerability
CVE-2024-47905
4.9 - Medium
- November 12, 2024
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
Memory Corruption
DoS via NPE in Ivanti Connect Secure <22.7R2.1 & Policy Secure <22.7R1.1
CVE-2024-8495
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
UAF in Ivanti Connect Secure <22.7R2.3, 9.1R18.9 & Policy Secure <22.7R1.2
CVE-2024-9420
8.8 - High
- November 12, 2024
A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution
Dangling pointer
Command Injection in Ivanti Connect Secure & Policy Secure 22.7R2.1 (R1.1)
CVE-2024-11007
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
RCE via Improper Input in Ivanti Connect Secure Admin before 22.7R2.1
CVE-2024-37404
- October 18, 2024
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.
CVE-2023-38551: CRLF Injection in Ivanti Connect Secure Enables XSS
CVE-2023-38551
- May 31, 2024
A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victims browser, thereby leading to cross-site scripting attack.
Heap overflow in Ivanti Connect Secure IPSec allowing DoS / code exec
CVE-2024-21894
9.8 - Critical
- April 04, 2024
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code
Memory Corruption
Heap overflow in IPSec of Ivanti Connect Secure
CVE-2024-22053
8.2 - High
- April 04, 2024
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.
Memory Corruption
XEE DoS in Ivanti Connect Secure SAML component
CVE-2024-22023
5.3 - Medium
- April 04, 2024
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
NULL Pointer Dereference
Null Pointer Deref in Ivanti Connect Secure IPSec Causing DoS
CVE-2024-22052
7.5 - High
- April 04, 2024
A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack
NULL Pointer Dereference
XXE in Ivanti Connect Secure SAML (no auth)
CVE-2024-22024
8.3 - High
- February 13, 2024
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
XXE
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Ivanti Connect Secure or by Ivanti? Click the Watch button to subscribe.
