Ivanti: Critical code smuggling vulnerabilities in VPN and CSA
There are critical security leaks in Ivanti's VPN software ICS, IPS and ISAC as well as in Ivanti CSA. Attackers can plant malicious code.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
Ivanti warns of several security vulnerabilities, some of them critical, in the VPN software Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) as well as in Ivanti Cloud Services Application (CSA). Attackers can misuse the vulnerabilities to inject malicious code, the company explains.
A security release from Ivanti lists the vulnerabilities in ICS, IPS and ISAC. The most serious of these is a stack-based buffer overflow that allows logged-in users to execute arbitrary code remotely (CVE-2025-22467, CVSS 9.9, risk"critical"). Ivanti does not discuss details of the vulnerability, such as how malicious actors can exploit it.
Other critical vulnerabilities
In addition, logged-in users with admin rights can write arbitrary files using externally controllable file names (CVE-2024-38657, CVSS 9.1, critical). Attackers can also inject code in an unspecified way (CVE-2024-10644, CVSS 9.1, critical).
Affected by these and other vulnerabilities listed in the security advisory (CVE-2024-13813, CVSS 7.1, high; CVE-2024-12058, CVSS 6.8, medium; CVE-2024-13830, CVSS 6.1, medium; CVE-2024-13842, CVE-2024-13843, both CVSS 6.0, medium), are Ivanti Connect Secure (ICS) before version 22.7R2.6, Ivanti Policy Secure (IPS) before 22.7R1.3 and Ivanti Secure Access Client (ISAC) before 22.8R1.
Videos by heise
Critical vulnerability in Cloud Services Application
Ivanti also warns of a critical vulnerability in the Cloud Services Application (CSA). Authenticated attackers with admin rights can pass commands to the operating system and thus smuggle in and execute arbitrary malicious code (CVE-2024-47908, CVSS 9.1, critical). Attackers can also exploit a path traversal vulnerability without prior login to access restricted functions (CVE-2024-11771, CVSS 5.3, medium). Ivanti CSA 5.0.5 seals these vulnerabilities.
Ivanti writes that the company is not yet aware of any abuse of these vulnerabilities in the network. Nevertheless, IT managers should download and install the updates as soon as possible due to the serious threat classifications.
Security leaks in Ivanti products are very popular with cyber criminals. At the beginning of January, for example, malicious actors abused a code-smuggling vulnerability in Ivanti Connect Secure to compromise networks.
(dmk)
