Ivanti Product Security Update Advisory

Overview

We have released a security update to fix vulnerabilities in Ivanti products. Users of affected products are advised to update to the latest version.
 

 

Affected Products

 

CVE-2024-47908

Ivanti CSA Version: ~5.0.4 (inclusive)

 

Cve-2024-38657, cve-2025-22467, cve-2024-10644, cve-2024-13813

Ivanti Connect Secure (ICS) Version: ~22.7R2.5 (incl.)
Ivanti Policy Secure (IPS) Version: ~22.7R1.2 (incl.)
Ivanti Secure Access Client (ISAC) Version: ~22.7R4 (inclusive)

 

Resolved Vulnerabilities

Administrator Web Console OS Command Injection Vulnerability (CVE-2024-47908)
File Name External Control Vulnerability (CVE-2024-38657)
Stack-based buffer overflow vulnerability (CVE-2025-22467)
Code injection vulnerability that could allow remote code execution (CVE-2024-10644)
Insufficiently set permissions (CVE-2024-13813)

 

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
 

 

CVE-2024-47908

Ivanti CSA Version: ~5.0.5 (inclusive)

 

CVE-2024-38657, CVE-2025-22467, CVE-2024-10644, CVE-2024-13813

Ivanti Connect Secure (ICS) version: 22.7R2.6
Ivanti Policy Secure (IPS) version: 22.7R1.3
Ivanti Secure Access Client (ISAC) version: 22.8R1

 

References

[1] Security Advisory Ivanti Cloud Services Application (CSA) (CVE-2024-47908, CVE-2024-11771)
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-47908-CVE-2024-11771?language=en_US
[2] February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)
https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US&_gl=1*24inh7*_gcl_au*MjAwNjk5NDA4MS4xNzM5MzM0OTA1