62/68 Friday, February 14, 2025
Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address three critical vulnerabilities:
- CVE-2025-22467 (Severity Score: 9.9) – A buffer overflow vulnerability that could allow low-privileged attackers to execute remote code.
- CVE-2024-38657 (Severity Score: 9.1) – A vulnerability that allows hackers to write arbitrary files in ICS and IPS.
- CVE-2024-10644 (Severity Score: 9.1) – A code injection vulnerability that enables the execution of malicious code in ICS and IPS.
These vulnerabilities require authentication before exploitation. However, if attackers manage to steal login credentials, they could exploit these flaws to gain control over the system.
The affected versions include ICS 22.7R2.5 and earlier, IPS 22.7R1.2 and earlier, and ISAC 22.7R4 and earlier. Ivanti has released patches in ICS 22.7R2.6, IPS 22.7R1.3, and ISAC 22.8R1 to mitigate these security risks. Additionally, Ivanti has identified other vulnerabilities of medium to high severity, including cross-site scripting (XSS) issues and insecure data storage. The company strongly advises users to apply the updates as soon as possible.
Ivanti also confirmed that Pulse Connect Secure 9.x is affected by these vulnerabilities. However, since the product reached its end-of-support on December 31, 2024, no patches will be provided. Users are advised to migrate to Ivanti Connect Secure version 22.7 instead. The company has not issued additional mitigation measures beyond recommending the installation of the latest patches as the best defense.
