Critical Vulnerabilities Patched in Ivanti Connect Found, Patch NOW!

Ivanti has rolled out essential security updates to address a cluster of vulnerabilities affecting its Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) products. Among these fixes are patches for three critical severity flaws that could expose organizations to significant risk.

The vulnerabilities were brought to Ivanti's attention through its responsible disclosure program, with contributions from security researchers at CISA and Akamai, as well as reports via the HackerOne bug bounty platform.

While Ivanti states that there are no current reports of active exploitation in the wild, the urgency to apply these security updates cannot be overstated. Organizations using affected versions of Ivanti products are strongly advised to implement these patches immediately.

Critical Vulnerabilities at a Glance

The three critical vulnerabilities patched by Ivanti are:

• CVE-2025-22467: Stack-Based Buffer Overflow in ICS (Critical Severity: 9.9) This vulnerability, residing in Ivanti Connect Secure, is a stack-based buffer overflow. It allows a remote attacker with authenticated, low-privilege access to execute arbitrary code on the system. The near-maximum severity score of 9.9 highlights the extreme risk associated with this flaw.

• CVE-2024-38657: Arbitrary File Writing via External Control of Filename in ICS and IPS (Critical Severity: 9.1) Impacting both Ivanti Connect Secure and Policy Secure, this vulnerability stems from external control of a filename. A remote, authenticated attacker can exploit this to perform arbitrary file writing on the system. Successful exploitation could lead to system compromise and data manipulation.

• CVE-2024-10644: Remote Code Execution via Code Injection in ICS and IPS (Critical Severity: 9.1) Another critical flaw affecting Ivanti Connect Secure and Policy Secure, this code injection vulnerability enables remote, authenticated attackers to achieve remote code execution. This allows malicious actors to gain control of affected systems and carry out a wide range of attacks.

Understanding the Risk: Authenticated Access is Still a Major Concern

While exploitation of these critical vulnerabilities requires attacker authentication, the risk remains substantial. In today's threat landscape, relying solely on the premise of "authenticated access required" offers a false sense of security.

Consider these scenarios:

• Insider Threats: Malicious insiders or disgruntled employees with legitimate credentials can exploit these vulnerabilities from within the network.
• Credential Compromise: Attackers frequently employ phishing campaigns, previous data breaches, or brute-force attacks to steal user credentials. Once inside, these flaws become readily exploitable.

The potential impact of successful exploitation ranges from data breaches and ransomware deployment to complete system takeover and disruption of critical services.

Beyond Critical: Medium to High Severity Flaws Also Addressed

In addition to the critical issues, Ivanti's security bulletin includes fixes for five more vulnerabilities ranging from medium to high severity. These include:

• Cross-Site Scripting (XSS) vulnerabilities
• Hardcoded cryptographic keys
• Cleartext storage of sensitive data
• Insufficient permissions issues

These vulnerabilities, while not critical, further broaden the attack surface and should not be ignored.

Affected Products and Upgrade Paths

The vulnerabilities impact the following product versions:

• Ivanti Connect Secure (ICS): Versions 22.7R2.5 and older
• Ivanti Policy Secure (IPS): Versions 22.7R1.2 and older
• Ivanti Secure Access Client (ISAC): Versions 22.7R4 and below

Ivanti has released patched versions to address these issues:

• ICS Version 22.7R2.6
• IPS Version 22.7R1.3
• ISAC Version 22.8R1

Upgrade to these versions is strongly recommended for all affected users.

End-of-Life Notice for Pulse Connect Secure 9.x

Ivanti has explicitly stated that Pulse Connect Secure 9.x, which is also affected, will not receive fixes. This version reached its End of Engineering in June 2024 and End-of-Support on December 31, 2024. Users of Pulse Connect Secure 9.x are urged to migrate to Ivanti Connect Secure version 22.7.

Immediate Action Required: Patch Now

Ivanti has not provided any workarounds or mitigations for these vulnerabilities other than applying the security updates. Therefore, the only recommended solution is to immediately patch all affected Ivanti Connect Secure, Policy Secure, and Secure Access Client instances to the latest versions.

Delaying these updates puts your organization at significant and unnecessary risk. Prioritize patching now to secure your systems and data.