Friday 9th February 2024
Yesterday Ivanti announced another vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and ZTA Gateway. CVE-2024-22024 (CVSS v3.1: 8.3 [High]) is an external XML entities (XXE) vulnerability which allows attackers to access certain restricted resources without authentication.
Ivanti says the vulnerability only affects a limited number of supported versions of their software, and is not known to be exploited in the wild.
Spotit’s advice is to prioritise patching affected versions in your next available patch window.
Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1)
Ivanti Policy Secure version 22.5R1.1
ZTA Gateway version 22.6R1.3.