Two new vulnerabilities have been disclosed by Ivanti, relating to their Connect Secure, Policy Secure and Neurons for ZTA products and services.
Ivanti Connect Secure & Ivanti Policy Secure
CVSS: 8.8 HIGH
Ivanti has disclosed a further vulnerability affecting their Connect Secure and Policy Secure solutions. Impacting all currently supported versions (9.x and 22.x), the vulnerability allows a user (malicious or otherwise) to elevate their current privileges to that of an administrator.
Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA
CVSS: 8.2 HIGH
A server-side vulnerability exists in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA. When exploited, a threat actor could access certain restricted resources without needing to authenticate.
While no threat actor use of CVE-2024-21888 has yet been discovered, there has been limited, targeted use of CVE-2024-21893. Following the disclosure of these vulnerabilities, exploitation of impacted services is suspected to increase. Therefore, it is vital that the affected services are fully patched and updated to mitigate any risks.
The release of these vulnerabilities follows Ivanti’s research into vulnerabilities disclosed earlier in the month, CVE-2023-46805 and CVE-2024-21887 (previously reported here). Given the volume of vulnerabilities coming from Ivanti at this time, it is expected that threat actors will put an increased focus on identifying more in order to exploit vulnerable users.