Ivanti - SA:CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow), CVE-2024-22023 (XML entity expansion or XXE) and CVE-2024-29205 for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Created on 2025-05-12 06:22, updated on 2025-05-12 06:22, by Alexandre DulaunoyDescription
Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), (formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways and a patch is available now. These vulnerabilities impact all supported versions – Version 9.x and 22.x (refer to Granular Software Release EOL Timelines and Support Matrix for supported versions).
We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.
Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve security vulnerabilities for our End of Engineering (EOE) and End of Life (EOL) policies.
| CVE | Description | CVSS | Vector |
|---|---|---|---|
| CVE-2024-21894 | A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code | 8.2 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
| CVE-2024-22052 | A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack | 7.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2024-22053 | A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory. |
8.2 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
| CVE-2024-22023 | An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS. | 5.3 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2024-29205 | An Improper Check for Unusual Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in order to cause service disruptions. | 7.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Update 17 April: An issue that was initially identified as a product defect, disclosed in the release notes, and fixed in the patch released on 3 April has since been identified as a security issue and we are reporting it as CVE-2024-29205. Customers who have applied the patch released on 3 April are protected from this vulnerability, and no other action is required. Following the public disclosure, we are aware of a limited number of customers who have been impacted by this vulnerability.
Vulnerabilities included in this bundle
Combined detection rules
Detection rules are retrieved from Rulezet.
Combined sightings
| Author | Vulnerability | Source | Type | Date |
|---|