Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Cyber Security

Products You May Like

Feb 09, 2024NewsroomVulnerability / Zero Day

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.

The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system.

“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication,” the company said in an advisory.

The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

Cybersecurity

CVE-2024-22024 affects the following versions of the products –

  • Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
  • Ivanti Policy Secure (version 22.5R1.1)
  • ZTA (version 22.6R1.3)

Patches for the bug are available in Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2; Policy Secure versions 9.1R17.3, 9.1R18.4, and 22.5R1.2; and ZTA versions 22.5R1.6, 22.6R1.5, and 22.6R1.7.

Ivanti said there is no evidence of active exploitation of the flaw, but with CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 coming under broad abuse, it’s imperative that users move quickly to apply the latest fixes.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Itel Flip One Feature Phone Set to Launch in India in September
Nvidia’s Forecast Dampens AI Enthusiasm in Other Tech Stocks
Oppo Enco X3 Tipped to Launch in China This Year as a Rebranded Version of Flagship OnePlus TWS
iPhone Users Outside the US Can Now Access Apple Intelligence Features in iOS 18.1 Developer Beta 3
NCLT Approves Merger of Viacom 18, Star India After CCI Nod

Leave a Reply

Your email address will not be published. Required fields are marked *