- 10/2024
- Critical
Ivanti has released security updates to fix two zero-day vulnerabilities across Ivanti Connect Secure (ICS) and Ivanti Policy Secure.
The addressed vulnerabilities could allow the remote attacker to execute arbitrary code, and bypass security restrictions on the affected systems by sending a specially crafted request.
The addressed vulnerabilities:
1. Ivanti ICS and Ivanti Policy Secure Command Execution (CVE-2024-21887):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Bypass Security
2. Ivanti ICS and Ivanti Policy Secure Security Bypass (CVE-2023-46805):
- CVSS: 8.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
It should be highlighted that security experts have identified zero-day exploitation of these vulnerabilities in the wild by a suspected espionage threat actor.
Vulnerabilities
- CVE-2024-21887
- CVE-2023-46805
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.