CVE-2024-21894

Name of the Vulnerable Software and Affected Versions Ivanti Connect Secure versions 9.x through 22.x Ivanti Policy Secure versions 9.x through 22.x

Description A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests to crash the service, causing a DoS attack. In certain conditions, this may lead to the execution of arbitrary code. Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways are susceptible to this flaw, with the majority located in the US, Japan, the UK, and other countries.

Recommendations For Ivanti Connect Secure versions 9.x through 22.x: Update to a version that includes the fix for this vulnerability. For Ivanti Policy Secure versions 9.x through 22.x: Update to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the IPSec component until a patch is available. Avoid using the vulnerable IPSec component in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.