Ivanti, a leading provider of cybersecurity and IT management solutions has disclosed yet another critical authentication bypass vulnerability affecting multiple products, including Connect Secure, Policy Secure, and Zero Trust Access (ZTA) gateways.
The vulnerability tracked as CVE-2024-22024, stems from an XML external entity (XXE) vulnerability in the SAML authentication component, enabling unauthenticated threat actors to access restricted resources. Ivanti rated the flaw 8.3 out of 10 on the CVSS vulnerability scoring system, meaning it's considered a high-severity issue.
The company said it uncovered CVE-2024-22024 during an internal security review launched after the disclosure of several other vulnerabilities in January and February 2024. These have included critical flaws like CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893, some of which have already been widely exploited by attackers.
Ivanti warned that while there's no evidence CVE-2024-22024 is being actively weaponized currently, the high risks posed by previous flaws mean customers should prioritize patching as soon as possible.
Affected Products and Versions
The authentication bypass issue impacts the following Ivanti products and versions:
- Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1
- Policy Secure version 22.5R1.1
- ZTA version 22.6R1.3
Ivanti has released patches fixing CVE-2024-22024 across affected product lines, including Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2. Policy Secure hotfixes are available in versions 9.1R17.3, 9.1R18.4, and 22.5R1.2, while ZTA should be updated to 22.5R1.6, 22.6R1.5, or 22.6R1.7.
With remote exploitation a possibility, Ivanti is urging customers to install relevant security updates immediately to prevent potential compromise of gateways. Given recent incidents, it's clear attackers are probing systems for Ivanti flaws, raising the chances outdated products could fall victim.
Another Black Eye for Ivanti Security
While disclosing vulnerabilities is an essential process to improve collective security, the volume of critical Ivanti flaws emerging recently deals a blow to trust in the vendor's solutions.
Ivanti maintains there's no evidence that CVE-2024-22024 has been exploited maliciously yet. However, the harrowing reality that four major vulnerabilities surfaced in such quick succession points to potential systemic security engineering issues within Ivanti systems.