CVE-2022-35258
Published: 05 December 2022
Summary
CVE-2022-35258 is a high-severity Wrap-around Error (CWE-128) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-35258 is a denial-of-service vulnerability affecting Ivanti Connect Secure in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1. The flaw carries a CVSS 3.1 base score of 7.5 and is associated with CWE-128 and CWE-682; it permits an unauthenticated network attacker to disrupt service availability without any impact on confidentiality or integrity.
An unauthenticated remote attacker can exploit the issue over the network with low attack complexity to trigger a denial-of-service condition against the listed Ivanti products, resulting in loss of availability for affected appliances or services.
Vendor advisories referenced in SA45520 direct administrators to apply the fixed releases listed for each product line; the same advisory is published on the Ivanti knowledge base and contains the definitive remediation guidance and version mappings.
The associated EPSS score has remained essentially flat near 0.096, indicating no material post-disclosure increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38149
Vulnerability details
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…
more
Access in versions prior to 22.3R1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.