Article Details
Scrape Timestamp (UTC): 2025-02-12 17:26:26.319
Original Article Text
Click to Toggle View
Ivanti fixes three critical flaws in Connect Secure & Policy Secure. Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems. The company learned about the flaws through its responsible disclosure program from security researchers at CISA and Akamai, and through the HackerOne bug bounty platform. Ivanti notes in the security bulletin that it received no reports about any of the issues being actively exploited in the wild. However, it it recommends that users install the security updates as soon as possible. The three critical security vulnerabilities Ivanti patched are the following: Exploiting any of the three issues is possible from a remote location but an attacker needs to be authenticated. Furthermore, for two of them admin privileges are necessary to achieve remote code execution or to write arbitrary files. Despite this, the risk is still considerable as insider threats or attackers who have stolen credentials via phishing, previous breaches, or via brute forcing passwords, can still leverage the flaws for malicious operations. There are also five more flaws included in the bulletin, ranging from medium to high severity. Issues include cross-site scripting (XSS) issues, hardcoded keys, cleartext storage of sensitive data, and insufficient permissions. The vulnerabilities impact ICS 22.7R2.5 and older, IPS 22.7R1.2 and older, and ISAC 22.7R4 and below. Details about which products are impacted by each flaw can be seen in the table below. The issues were addressed in ICS version 22.7R2.6, IPS version 22.7R1.3, and ISAC 22.8R1, which are the recommended upgrade targets for system administrators. Ivanti has also acknowledged that the issue also impacts Pulse Connect Secure 9.x, but stated it does not plan to offer fixes for these products as their support period has ended, “The Pulse Connect Secure 9.x version of the product reached End of Engineering June 2024 and has reached End-of-Support as of December 31, 2024,” Ivanti explains. “Because of this, the 9.x version of Connect Secure no longer receives backported fixes,” the company added, encouraging customers to upgrade to version 22.7 of Ivanti Connect Secure. Ivanti has not provided any mitigations for the patched flaws and applying the latest update is the recommended solution.
Daily Brief Summary
Ivanti has issued security updates for Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Secure Access Client to rectify multiple vulnerabilities including three with critical severity.
The critical vulnerabilities allow remote exploitation, albeit an attacker requires authentication and, in some cases, admin privileges for effective exploitation.
These vulnerabilities were disclosed through a responsible disclosure program involving CISA, Akamai, and the HackerOne platform, with no current evidence of active exploitation in the wild.
The updates address a total of eight vulnerabilities spanning from medium to high severity, involving risks such as XSS, hardcoded keys, and cleartext data storage.
Ivanti strongly recommends that customers update their systems to the latest versions: ICS to 22.7R2.6, IPS to 22.7R1.3, and ISAC to 22.8R1 to mitigate these vulnerabilities.
The company also noted the end of support for the Pulse Connect Secure 9.x versions, advising users to upgrade to newer versions for continued protection.
No mitigations have been suggested for the vulnerabilities aside from applying the most recent updates.