On 8 February 2024, Ivanti publicly disclosed a high-severity authentication bypass vulnerability (CVE-2024-22024) impacting Ivanti Connect Secure, Policy Secure, and ZTA products. CVE-2024-22024 is an XML external entity (XXE) flaw in the SAML component and could allow threat actors to bypass authentication and access certain restricted resources if successfully exploited.
This vulnerability was initially discovered and responsibly disclosed by WatchTowr Labs. Arctic Wolf has not observed a publicly available proof of concept (PoC) exploit published for this vulnerability. Additionally, we have not observed active exploitation at this time. However, based on the historical targeting of recent vulnerabilities in Ivanti products, including CVE-2024-21893, CVE-2024-21887, and CVE-2023-46805, and the potential to bypass authentication, we assess threat actors will likely develop a working PoC exploit and attempt exploitation of this vulnerability in the near term.
Recommendation for CVE-2024-22024
Upgrade Ivanti Products to Fixed Version
Arctic Wolf strongly recommends upgrading vulnerable Ivanti products to the latest released versions.
| Affected Product | Affected Versions | Fixed Version |
| Connect Secure | 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 | 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, 22.6R2.2 |
| Policy Secure | 22.5R1.1 | 9.1R17.3, 9.1R18.4, 22.5R1.2 |
| ZTA | 22.6R1.3 | 22.5R1.6, 22.6R1.5, 22.6R1.7 |
Organisations that have applied the patch released on 31 January or 1 February and completed a factory reset of their appliance, do not need to factory reset their appliances again, according to Ivanti.
References
- Ivanti Article
- WatchTowr Labs Responsible Disclosure
- Arctic Wolf Blog (CVE-2024-21887 & CVE-2023-46805)
- Volexity Blog 1
- Volexity Blog 2
See other important security bulletins from Arctic Wolf.
