Ivanti patches another round of critical flaws in Connect Secure and Policy Secure
Take action: If you are using Connect Secure, Policy Secure, Cloud Services Application or Secure Access Client, time for an urgent patch. Prioritize Connect Secure and Secure Access Client, then Policy Secure. No real mitigations on these, most of these systems are exposed to the public by default. Don't delay.
Learn More
Ivanti has released critical security updates for multiple products including Connect Secure (ICS), Policy Secure (IPS), Cloud Services Application (CSA), and Secure Access Client (ISAC). These updates address several critical vulnerabilities.
- CVE-2025-22467 (CVSS score 9.9) - Stack-based buffer overflow in Connect Secure, enabling remote authenticated attackers to achieve remote code execution
- CVE-2024-38657 (CVSS score 9.1) - External control of a file name vulnerability in Connect Secure and Policy Secure, allowing remote authenticated attackers with admin privileges to write arbitrary files
- CVE-2024-10644 (CVSS score 9.1) - Code injection vulnerability in Connect Secure and Policy Secure, allowing remote authenticated attackers with admin privileges to achieve remote code execution
- CVE-2024-47908 (CVSS score 9.1) - Operating system command injection in CSA's admin web console, enabling remote authenticated attackers with admin privileges to achieve remote code execution
The vulnerabilities have been addressed in the following updated versions:
- Ivanti Connect Secure 22.7R2.6
- Ivanti Policy Secure 22.7R1.3
- Ivanti CSA 5.0.5
- Ivanti Secure Access Client 22.8R1
While Ivanti states they are not aware of any exploitation of the newly disclosed vulnerabilities, they acknowledge their edge products have been "targeted and exploited by sophisticated threat actor attacks."
Ivanti strongly recommends that all customers upgrade to the latest versions immediately through their download portal: https://portal.ivanti.com/
