Customers of Ivanti’s Connect Secure, Policy Secure, and ZTA gateway devices have been notified of yet another high-severity security vulnerability that could enable attackers to get around authentication. The CVSS score method gives the problem, identified as CVE-2024-22024, an 8.3 out of 10 rating.
“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allow an attacker to access certain restricted resources without authentication,” the business stated in an alert.
As part of its ongoing examination into several security flaws in the products that have surfaced since the beginning of the year, the business revealed that it found the problem during an internal review. CVE-2024-22024 impacts the subsequent product versions:
- Ivanti Connect Secure (Versions: 9.1R17.2, 9.1R14.4, 22.5R1.1, and 9.1R18.3, 22.4R2.2)
- ZTA (Version 22.6R1.3)
- Ivanti Policy Secure (Version 22.5R1.1)
Versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2 of Connect Secure, versions 9.1R17.3, 9.1R18.4, and 22.5R1.2 of Policy Secure, and versions 22.5R1.6, 22.6R1.5, and 22.6R1.7 of ZTA all have patches for the bug.
Although there isn’t any proof of the vulnerability being actively exploited, users must act fast to deploy the most recent fixes for CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, as these are being widely exploited.