Home

Description

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

PUBLISHED Reserved 2024-06-28 | Published 2024-11-13 | Updated 2024-12-01 | Assigner hackerone




CRITICAL: 9.1CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Product status

Default status
unaffected

22.7R2.1 (custom) before 22.7R2.1
affected

9.1R18.7 (custom) before 9.1R18.7
affected

Default status
unaffected

22.7R1.1 (custom) before 22.7R1.1
affected

References

forums.ivanti.com/...Secure-Access-Client-ISAC-Multiple-CVEs

cve.org (CVE-2024-39712)

nvd.nist.gov (CVE-2024-39712)