Ivanti Policy Secure
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Ivanti Policy Secure.
By the Year
In 2026 there have been 0 vulnerabilities in Ivanti Policy Secure. Last year, in 2025 Policy Secure had 15 security vulnerabilities published. Right now, Policy Secure is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 15 | 5.60 |
| 2024 | 27 | 7.19 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 7.50 |
| 2021 | 0 | 0.00 |
| 2020 | 15 | 7.20 |
| 2019 | 2 | 8.80 |
It may take a day or so for new Policy Secure vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Ivanti Policy Secure Security Vulnerabilities
Ivanti Policy Secure <22.6R1 - Auth Admin File Read
CVE-2023-39339
- July 12, 2025
A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request.
SSRF in Ivanti Connect Secure <22.7R2.8 / Ivanti Policy Secure <22.7R1.5
CVE-2025-0292
4.9 - Medium
- July 08, 2025
SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services.
SSRF
CVE-2025-0293 CLRF Injection in Ivanti Connect Secure <22.7R2.8 writes config
CVE-2025-0293
2.7 - Low
- July 08, 2025
CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk.
CRLF Injection
Improper ATC in Ivanti Connect Secure (<22.7R2.8) & Policy Secure (<22.7R1.5)
CVE-2025-5450
2.7 - Low
- July 08, 2025
Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted.
Client-Side Enforcement of Server-Side Security
Stack Overflow in Ivanti Connect Secure<22.7R2.8 & Policy Secure<22.7R1.5, Admin DoS
CVE-2025-5451
- July 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service.
Memory Corruption
Sensitive info in logs in Ivanti Connect Secure <22.7R2.8 (CVE-2025-5463)
CVE-2025-5463
- July 08, 2025
Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information.
Insertion of Sensitive Information into Log File
Buf overflow Ivanti Connect Secure <22.7, Policy Secure <22.7 ZTA Gateways <22.8
CVE-2025-22457
9 - Critical
- April 03, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
Stack Overflow
Arbitrary File Write via External Filename Control in Ivanti Connect Secure <22.7R2.4
CVE-2024-38657
4.9 - Medium
- February 21, 2025
External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.
Auth File Read via External File Name Control in Ivanti ConnSec <22.7R2.6
CVE-2024-12058
4.9 - Medium
- February 11, 2025
External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.
External Control of File Name or Path
Ivanti Connect/Policy Secure Code Injection RCE (pre-22.7R2.4/22.7R1.3)
CVE-2024-10644
7.2 - High
- February 11, 2025
Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Code Injection
Ivanti Connect Secure <=22.7R2.3 Hardcoded Encryption Key Exploitable by Admins
CVE-2024-13842
4.4 - Medium
- February 11, 2025
A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
Use of Hard-coded Cryptographic Key
Cleartext Storage in Ivanti ConnectSecure <22.7R2.6 / PolicySecure <22.7R1.3
CVE-2024-13843
4.4 - Medium
- February 11, 2025
Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
Cleartext Storage of Sensitive Information
Ivanti Connect Secure & Policy Secure XSS <22.7R2.6/R1.3
CVE-2024-13830
6.1 - Medium
- February 11, 2025
Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
XSS
Local Auth Priv Esc via Stack Overflow in Ivanti Connect Secure <22.7R2.5
CVE-2025-0283
7 - High
- January 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
Memory Corruption
Ivanti Connect Secure <=22.7R2.5 Buffer Overflow RCE
CVE-2025-0282
9 - Critical
- January 08, 2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Stack Overflow
IPsec OOB Read in Ivanti Connect Secure v<22.7R2.1 Denies Service
CVE-2024-37401
- December 12, 2024
An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service.
Heap Buffer Overflow in Ipsec of Ivanti Connect Secure <22.7R2.3 (DoS)
CVE-2024-37377
- December 12, 2024
A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
Command Injection in Ivanti Connect Secure <22.7R2.3 & Policy Secure <22.7R1.2
CVE-2024-11634
7.2 - High
- December 10, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
Command Injection
Ivanti Connect Secure and Policy Secure Privilege Escalation via Incorrect File Permissions
CVE-2024-39709
- November 13, 2024
Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-38656
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-38655
7.2 - High
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure: Remote Code Execution via Argument Injection
CVE-2024-39712
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection
CVE-2024-39711
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Ivanti Connect Secure and Policy Secure Remote Code Execution via Argument Injection
CVE-2024-39710
- November 13, 2024
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
XSS in Ivanti Connect Secure <22.7R2.1 & Policy Secure <22.7R1.1 Enables Admin Priv Esc
CVE-2024-11004
6.1 - Medium
- November 12, 2024
Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
XSS
Ivanti Connect Secure <22.7R2.1 Cmd Inject RCE
CVE-2024-11006
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
Command Injection in Ivanti Connect Secure/Policy Secure <22.7 - RCE
CVE-2024-11005
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
Ivanti Connect Secure and Policy Secure Privilege Escalation Vulnerability
CVE-2024-47906
7.8 - High
- November 12, 2024
Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.
Ivanti Connect Secure and Policy Secure Stack-Based Buffer Overflow Vulnerability
CVE-2024-47909
4.9 - Medium
- November 12, 2024
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
Memory Corruption
Ivanti Connect Secure and Policy Secure Stack-Based Buffer Overflow Vulnerability
CVE-2024-47905
4.9 - Medium
- November 12, 2024
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
Memory Corruption
Command Injection in Ivanti Connect Secure & Policy Secure 22.7R2.1 (R1.1)
CVE-2024-11007
7.2 - High
- November 12, 2024
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Shell injection
DoS via NPE in Ivanti Connect Secure <22.7R2.1 & Policy Secure <22.7R1.1
CVE-2024-8495
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
UAF in Ivanti Connect Secure <22.7R2.3, 9.1R18.9 & Policy Secure <22.7R1.2
CVE-2024-9420
8.8 - High
- November 12, 2024
A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution
Dangling pointer
Heap overflow in Ivanti Connect Secure IPSec allowing DoS / code exec
CVE-2024-21894
9.8 - Critical
- April 04, 2024
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code
Memory Corruption
Heap overflow in IPSec of Ivanti Connect Secure
CVE-2024-22053
8.2 - High
- April 04, 2024
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.
Memory Corruption
XEE DoS in Ivanti Connect Secure SAML component
CVE-2024-22023
5.3 - Medium
- April 04, 2024
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
NULL Pointer Dereference
Null Pointer Deref in Ivanti Connect Secure IPSec Causing DoS
CVE-2024-22052
7.5 - High
- April 04, 2024
A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack
NULL Pointer Dereference
XXE in Ivanti Connect Secure SAML (no auth)
CVE-2024-22024
8.3 - High
- February 13, 2024
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
XXE
SSRF in Ivanti Connect Secure SAML Enables Unauthorized Resource Access
CVE-2024-21893
- January 31, 2024
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
SSRF
Privilege Escalation in Ivanti Connect Secure & Policy Secure Web Component
CVE-2024-21888
- January 31, 2024
A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
Improper Privilege Management
Auth Bypass in Ivanti PolicySecure Web Com (CVE-2023-46805)
CVE-2023-46805
- January 12, 2024
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
Cmd Injection in Ivanti Connect Secure & Policy Secure Web Components
CVE-2024-21887
- January 12, 2024
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Command Injection
IVANTI CONNECT SECURE (ICS) DOS Vulnerability (pre-9.1R14.3/15.2/16.2/22.2)
CVE-2022-35258
7.5 - High
- December 05, 2022
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.
Incorrect Calculation
Ivanti Secure DoS (ICS pre-9.1R14.3, IPS pre-9.1R17, Neurons pre-22.3)
CVE-2022-35254
7.5 - High
- December 05, 2022
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.
Resource Exhaustion
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could
CVE-2020-8262
- October 28, 2020
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
XSS
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
CVE-2020-8261
- October 28, 2020
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
Classic Buffer Overflow
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9
CVE-2020-15352
7.2 - High
- October 27, 2020
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
XXE
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could
CVE-2020-8243
7.2 - High
- September 30, 2020
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.
Code Injection
A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could
CVE-2020-8238
- September 30, 2020
A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS).
XSS
An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB
CVE-2020-8206
- July 30, 2020
An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP.
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Ivanti Policy Secure or by Ivanti? Click the Watch button to subscribe.
