PT-2024-8721 · Ivanti · Ivanti Policy Secure+1
Published
2024-11-11
·
Updated
2025-01-17
·
CVE-2024-11006
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ivanti Connect Secure versions prior to 22.7R2.1
Ivanti Policy Secure versions prior to 22.7R1.1
Description
The issue is related to incorrect input handling in Ivanti Connect Secure and Ivanti Policy Secure, allowing a remote attacker to execute arbitrary code by sending a specially crafted request. This can lead to remote code execution. A command injection vulnerability in these products enables a remote authenticated attacker with admin privileges to achieve this.
Recommendations
For Ivanti Connect Secure versions prior to 22.7R2.1, update to version 22.7R2.1 or later to resolve the issue.
For Ivanti Policy Secure versions prior to 22.7R1.1, update to version 22.7R1.1 or later to resolve the issue.
As a temporary workaround, consider restricting access to admin privileges to minimize the risk of exploitation.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ivanti Connect Secure
Ivanti Policy Secure