Full Report
Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could be exploited to achieve arbitrary code execution. The list of vulnerabilities is below - CVE-2024-38657 (CVSS score: 9.1) - External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy
Analysis Summary
As a vulnerability research specialist, here is the summary of the relevant Ivanti vulnerabilities detailed in the provided context. Other mentioned advisories (SonicWall, Akamai/Fortinet) have been excluded per the focus on the primary Ivanti set described.
# Vulnerability: Multiple Critical Flaws in Ivanti ICS, IPS, and CSA Leading to RCE
## CVE Details
- CVE ID: CVE-2024-38657
- CVSS Score: 9.1 (Critical)
- CWE: External control of a file name or extension
- CVE ID: CVE-2025-22467
- CVSS Score: 9.9 (Critical)
- CWE: Stack-based buffer overflow
- CVE ID: CVE-2024-10644
- CVSS Score: 9.1 (Critical)
- CWE: Code injection
- CVE ID: CVE-2024-47908
- CVSS Score: 9.1 (Critical)
- CWE: Operating system command injection
## Affected Systems
- Products: Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Cloud Services Application (CSA)
- Versions:
- ICS: Before version 22.7R2.4 and 22.7R2.6 (for buffer overflow)
- IPS: Before version 22.7R1.3
- CSA: Before version 5.0.5
- Configurations: Vulnerabilities generally require administrative privileges or exploitation via the admin web console, depending on the specific CVE.
## Vulnerability Description
This advisory covers four critical vulnerabilities across Ivanti products:
1. **CVE-2024-38657 (File Write):** Allows a remote authenticated attacker with admin privileges to write arbitrary files due to external control over a file name (ICS/IPS).
2. **CVE-2025-22467 (Buffer Overflow):** A stack-based buffer overflow in ICS that allows a remote authenticated attacker to achieve Remote Code Execution (RCE).
3. **CVE-2024-10644 (Code Injection):** Allows a remote authenticated attacker with admin privileges to achieve RCE (ICS/IPS).
4. **CVE-2024-47908 (OS Command Injection):** Allows a remote authenticated attacker with admin privileges to achieve RCE via the admin web console of CSA.
## Exploitation
- Status: Ivanti is **not aware of any** of the flaws being exploited in the wild currently. However, the vendor notes previous weaponization against their edge products by sophisticated threat actors.
- Complexity: Given the requirements for authentication/admin privileges for most, complexity may lean towards Medium, though RCE potential suggests high impact if access is gained.
- Attack Vector: Network (Remote, requiring authentication for most).
## Impact
- Confidentiality: High (RCE allows full system compromise)
- Integrity: High (RCE allows full system compromise or arbitrary file modification)
- Availability: High (RCE can lead to system disruption)
## Remediation
### Patches
- Ivanti Connect Secure (ICS): Version 22.7R2.6 or later.
- Ivanti Policy Secure (IPS): Version 22.7R1.3 or later.
- Ivanti Cloud Services Application (CSA): Version 5.0.5 or later.
### Workarounds
The provided context does not specify any immediate workarounds, emphasizing that users must apply the latest patches due to the high-risk nature and history of exploitation of these products.
## Detection
- Detection methods are not explicitly detailed, but based on the attack vectors (admin interface interaction, file manipulation, OS commands), detection should focus on:
- Anomalous administrative access or sessions.
- Unexpected file system modifications near product directories.
- Execution of unexpected system commands originating from the ICS/IPS/CSA processes.
## References
- Vendor Advisory (General): hxxps://www.ivanti.com/blog/february-security-update
- CVE-2024-38657, CVE-2025-22467, CVE-2024-10644 Advisory Link: hxxps://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US
- CVE-2024-47908 Advisory Link: hxxps://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-47908-CVE-2024-11771?language=en_US