Ivanti has issued a warning to its customers regarding a significant security vulnerability present in its Connect Secure, Policy Secure, and ZTA gateway devices. This flaw, identified as CVE-2024-22024 and rated 8.3 out of 10 on the CVSS scoring system, enables attackers to circumvent authentication protocols.
According to Ivanti, the vulnerability stems from an XML external entity or XXE flaw within the SAML component of Ivanti Connect Secure (versions 9.x, 22.x), Ivanti Policy Secure (versions 9.x, 22.x), and ZTA gateways. Exploitation of this vulnerability grants unauthorized access to restricted resources.
The company uncovered this issue during an internal review as part of its continuous investigation into various security weaknesses discovered since the beginning of the year. Notable vulnerabilities include CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.
Affected versions of the products are as follows:
- Ivanti Connect Secure: 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1
- Ivanti Policy Secure: 22.5R1.1
- ZTA: 22.6R1.3
To address CVE-2024-22024, patches have been released for:
- Connect Secure versions: 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2
- Policy Secure versions: 9.1R17.3, 9.1R18.4, and 22.5R1.2
- ZTA versions: 22.5R1.6, 22.6R1.5, and 22.6R1.7
While Ivanti has not observed any active exploitation of the vulnerability, given the widespread abuse of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, prompt application of the latest fixes is strongly recommended.