Ivanti has released fixes for a high-severity vulnerability affecting network access and enterprise VPN products.
The SAML component of the ZTA gateway appliances, Policy Secure, and Ivanti Connect Secure appliances was found to have a security flaw. It was identified as CVE-2024-22024 (CVSS score of 8.3) and classified as an XML external entity (XXE) issue. Ivanti claims that an unauthorized attacker can access some restricted resources if the bug is successfully exploited.
The IT security and services company states in its advisory that “this vulnerability only affects a limited number of supported versions – Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3.”