Cyber Resilience

CVE-2022-35258

High

Published: 05 December 2022

Published
05 December 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0964 93.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35258 is a high-severity Wrap-around Error (CWE-128) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-35258 is a denial-of-service vulnerability affecting Ivanti Connect Secure in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1. The flaw carries a CVSS 3.1 base score of 7.5 and is associated with CWE-128 and CWE-682; it permits an unauthenticated network attacker to disrupt service availability without any impact on confidentiality or integrity.

An unauthenticated remote attacker can exploit the issue over the network with low attack complexity to trigger a denial-of-service condition against the listed Ivanti products, resulting in loss of availability for affected appliances or services.

Vendor advisories referenced in SA45520 direct administrators to apply the fixed releases listed for each product line; the same advisory is published on the Ivanti knowledge base and contains the definitive remediation guidance and version mappings.

The associated EPSS score has remained essentially flat near 0.096, indicating no material post-disclosure increase in observed exploitation interest.

EU & UK References

Vulnerability details

An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…

more

Access in versions prior to 22.3R1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
21.12, 21.9, 22.1, 22.2, 9.1 · ≤ 9.1
ivanti
neurons for zero-trust access
22.2
ivanti
policy secure
22.1, 22.2, 9.1 · ≤ 9.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References