Ivanti has released security updates to address several critical flaws in its Cloud Services Application (CSA) and Connect Secure products that could lead to privilege escalation and code execution.
The list of vulnerabilities is as follows –
CVE-2024-11639 (CVSS Score: 10.0) – An authentication bypass vulnerability in the Administrative Web Console for Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access CVE-2024-11772 (CVSS Score: 10.0) 9.1) – Command injection vulnerability in Ivanti CSA Administrative Web Console before release 5.0.3 which allows a remote authenticated attacker with administrator privileges to execute remote code CVE-2024-11773 (CVSS score: 9.1) – A SQL injection vulnerability in the Ivanti CSA Administrative Web Console before 5.0.3 which allows an attacker CVE-2024-11633 Remote authenticated person with administrator privileges runs arbitrary SQL statements (CVSS grade: 9.1) – A middleware injection vulnerability in Ivanti Connect Secure before 22.7R2.4 allows a remote authenticated attacker with administrator privileges to execute remote code CVE-2024-11634 (CVSS Score: 9.1) – A command injection vulnerability in Ivanti Connect Secure before release 22.7R2.3 and Ivanti Policy Secure before release 22.7R1.2 which allows a remote authenticated attacker with administrator privileges to execute remote code CVE-2024-8540 (CVSS Score: 8.8) – Insecure Permissions Vulnerability in Ivanti Sentry before 9.20.2 and 10.0.2 or 10.1 .0 which allows an authenticated, local attacker to modify sensitive application components
The shortcomings have been addressed in the versions below –
Ivanti Cloud Services Application 5.0.3 Ivanti Connect Secure 22.7R2.4 Ivanti Policy Secure 22.7R1.2 Ivanti Sentry 9.20.2, 10.0.2, 10.1.0
While Ivanti has confirmed that it is not aware of active exploitation of any of the above flaws, it is imperative that users take quick action as many previous vulnerabilities in its products have been exploited by state-sponsored attackers to conduct malicious activities.
