VYPR

Policy Secure

by Ivanti

CVEs (59)

  • CVE-2024-39709HigNov 13, 2024
    risk 0.51cvss 7.8epss 0.00

    Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.

  • CVE-2024-47906HigNov 12, 2024
    risk 0.51cvss 7.8epss 0.00

    Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.

  • CVE-2024-8495HigNov 12, 2024
    risk 0.49cvss 7.5epss 0.01

    A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.

  • CVE-2024-29205HigApr 25, 2024
    risk 0.49cvss 7.5epss 0.02

    An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in-order-to cause service disruptions.

  • CVE-2024-22052HigApr 4, 2024
    risk 0.49cvss 7.5epss 0.04

    A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack

  • CVE-2022-35258HigDec 5, 2022
    risk 0.49cvss 7.5epss 0.03

    An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…

  • CVE-2022-35254HigDec 5, 2022
    risk 0.49cvss 7.5epss 0.03

    An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…

  • CVE-2025-0283HigJan 8, 2025
    risk 0.47cvss 7.0epss 0.17

    A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

  • CVE-2024-38655HigNov 13, 2024
    risk 0.47cvss 7.2epss 0.02

    Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-12058MedFeb 11, 2025
    risk 0.44cvss 6.8epss 0.01

    External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.

  • CVE-2025-0293MedJul 8, 2025
    risk 0.43cvss 6.6epss 0.00

    CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk.

  • CVE-2025-5450MedJul 8, 2025
    risk 0.41cvss 6.3epss 0.00

    Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted.

  • CVE-2024-13830MedFeb 11, 2025
    risk 0.40cvss 6.1epss 0.01

    Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

  • CVE-2024-11004MedNov 12, 2024
    risk 0.40cvss 6.1epss 0.01

    Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

  • CVE-2024-13843MedFeb 11, 2025
    risk 0.39cvss 6.0epss 0.00

    Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.

  • CVE-2024-13842MedFeb 11, 2025
    risk 0.39cvss 6.0epss 0.00

    A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.

  • CVE-2025-0292MedJul 8, 2025
    risk 0.36cvss 5.5epss 0.01

    SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services.

  • CVE-2025-5463MedJul 8, 2025
    risk 0.36cvss 5.5epss 0.00

    Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information.

  • CVE-2024-22023MedApr 4, 2024
    risk 0.35cvss 5.3epss 0.03

    An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a…

  • CVE-2023-39339MedJul 12, 2025
    risk 0.32cvss 4.9epss 0.01

    A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request.