{"id":825,"date":"2025-04-23T05:51:22","date_gmt":"2025-04-23T05:51:22","guid":{"rendered":"http:\/\/localhost\/?p=825"},"modified":"2025-04-23T05:51:22","modified_gmt":"2025-04-23T05:51:22","slug":"february-security-advisory-ivanti-connect-secure-icsivanti-policy-secure-ips-and-ivanti-secure-acces","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=825","title":{"rendered":"February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nFebruary Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)<\/td>\n<\/tr>\n
Type<\/th>\nivanti<\/td>\n<\/tr>\n
Published<\/th>\n2025-11-02T15:01:15<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-23T07:45:06<\/td>\n<\/tr>\n
CVSS Score<\/th>\n9.9 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nLOW<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2024-10644, CVE-2024-12058, CVE-2024-13813, CVE-2024-13830, CVE-2024-13842, CVE-2024-13843, CVE-2024-38657, CVE-2025-22467<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nsoftware<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ## **Summary**<\/p>\n

Ivanti has released updates for Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) which addresses medium, high and critical severity vulnerabilities. <\/p>\n

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.<\/p>\n

**Vulnerability Details**<\/p>\n

**CVE Number**| **Description**| **CVSS Score (Severity)**| **CVSS Vector**| **CWE**| **Impacted Products**
\n—|—|—|—|—|—
\nCVE-2024-38657| External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.| 9.1 (Critical)| CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H| CWE-73| Connect Secure & Policy Secure
\nCVE-2025-22467| A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.| 9.9 (Critical) | CVSS:3.0\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H| CWE-121| Connect Secure
\nCVE-2024-10644| Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.| 9.1 (Critical)| CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H| CWE-94| Connect Secure & Policy Secure
\nCVE-2024-12058| External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.| 6.8 (Medium)| CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:N\/A:N| CWE-73| Connect Secure & Policy Secure
\nCVE-2024-13830| Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.| 6.1 (Medium)| CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N| CWE-79| Connect Secure & Policy Secure
\nCVE-2024-13842| A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local unauthenticated attacker to read sensitive data.| 6.0 (Medium)| CVSS:3.0\/AV:L\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:N\/A:N| CWE-321| Connect Secure & Policy Secure
\nCVE-2024-13843| Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local unauthenticated attacker to read sensitive data.| 6.0 (Medium)| CVSS:3.0\/AV:L\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:N\/A:N| CWE-312| Connect Secure & Policy Secure
\nCVE-2024-13813| Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files.| 7.1 (High)| CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:H| CWE-732| Secure Access Client <\/p>\n

**Affected Versions**<\/p>\n

**Product Name**| **Affected Versions**| **Resolved Versions**| **Patch Availability**
\n—|—|—|—
\nIvanti Connect Secure (ICS) | 22.7R2.5 and below| 22.7R2.6| Download Portal https:\/\/portal.ivanti.com\/
\nIvanti Policy Secure (IPS)| 22.7R1.2 and below| 22.7R1.3| Download Portal https:\/\/portal.ivanti.com\/
\nIvanti Secure Access Client (ISAC)| 22.7R4 and below| 22.8R1| Download Portal https:\/\/portal.ivanti.com\/ <\/p>\n

**Solution**<\/p>\n

These vulnerabilities are resolved on the latest version of the product and can be accessed in the download portal (Login Required):<\/p>\n

* Ivanti Connect Secure 22.7R2.6
\n * Ivanti Policy Secure 22.7R1.3
\n * Ivanti Secure Access Client 22.8R1<\/p>\n

Mitigation or Workaround<\/p>\n

CVE-2025-22467:<\/p>\n

The risk of this vulnerability is greatly reduced if customers follow the below recommendations:<\/p>\n

* Enforce MFA for all users.<\/p>\n

* Ensure host checker policies are enforced to make sure the connections originate from trusted end user sources.<\/p>\n

* Implement certificate-based authentication for all users.<\/p>\n

CVE-2024-38657, CVE-2024-10644, CVE-2024-12058:<\/p>\n

The risk of these vulnerabilities is greatly reduced if customers have management interface access restricted to an internal network, which is Ivanti\u2019s recommendation and industry best practice.<\/p>\n

NOTE: mitigations are temporary measures to allow customers time to patch and may not be complete or could potentially be circumvented with additional effort. Ivanti always advises that customers deploy the fix provided to ensure their environment is protected.<\/p>\n

**Acknowledgements**<\/p>\n

Ivanti would like to thank the following for reporting the relevant issues and for working with Ivanti to help protect our customers:<\/p>\n

* Matthew Galligan, CISA Rapid Action Force (CVE-2024-38657)
\n * Ori David of Akamai (CVE-2024-13842, CVE-2024-13843)
\n * sim0nsecurity of HackerOne (CVE-2024-13813)
\n * n3k From TIANGONG Team of Legendsec at QI-ANXIN Group (CVE-2025-22467)<\/p>\n

_Note: Ivanti is dedicated to ensuring the security and integrity of our enterprise software products. We recognize the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. Visit_ _HERE_ _to learn more about our Vulnerability Disclosure Policy._<\/p>\n

**FAQ**<\/p>\n

**1\\. Are you aware of any active exploitation of these vulnerabilities?**<\/p>\n

We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program. <\/p>\n

**2\\. How can I tell if I have been compromised?**<\/p>\n

Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise.<\/p>\n

**3\\. What should I do if I need help?**<\/p>\n

If you have questions after reviewing this information, you can log a case and\/or request a call via the Success Portal.<\/p>\n

**4\\. Are any of these vulnerability fixes backported to any of the 9.x versions?**<\/p>\n

No. The Pulse Connect Secure 9.x version of the product reached End of Engineering June 2024 and has reached End-of-Support as of December 31, 2024. Because of this, the 9.x version of Connect Secure no longer receives backported fixes. We strongly encourage customers to upgrade to Ivanti Connect Secure 22.7 to benefit from important security updates that we have made throughout the solution. <\/p>\n

**5\\. What does it mean when a vulnerability describes remote authenticated attackers?**<\/p>\n

It means that an attacker who is able to interact with the vulnerable component and pass authentication is able to exploit the vulnerability.<\/p>\n

**6\\. Are the 9.1Rx versions of Connect Secure also vulnerable to these CVEs?**<\/p>\n

Yes, and the strategy for addressing this is to migrate to the ISA platform and its 22.7R2.6 version which addresses these vulnerabilities. Please contact your account team for options.<\/p>\n

**7\\. Is there any way to mitigate the vulnerability covered by CVE-2025-22467?**<\/p>\n

Implementing the security best practices covered in https:\/\/forums.ivanti.com\/s\/article\/KB29805 provides confidence that authenticated users are as secure as possible.<\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n9.9<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n