First published: Wed Nov 13 2024(Updated: )
Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Ivanti Connect Secure (ICS) VPN | <22.7R2.2<9.1R18.9 | |
Ivanti Policy Secure | <22.7R1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-38656 is considered critical due to its remote code execution capabilities.
To mitigate CVE-2024-38656, upgrade Ivanti Connect Secure and Ivanti Policy Secure to the latest patched versions.
CVE-2024-38656 affects Ivanti Connect Secure versions before 22.7R2.2 and 9.1R18.9, as well as Ivanti Policy Secure versions before 22.7R1.2 and 9.1R18.9.
A remote authenticated attacker with admin privileges can exploit CVE-2024-38656 to execute malicious code.
The impact of CVE-2024-38656 can lead to unauthorized remote code execution on affected systems.