CVE-2024-11634
Published: 10 December 2024
Summary
CVE-2024-11634 is a critical-severity Command Injection (CWE-77) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-11634 is a command injection vulnerability, tracked under CWE-77, that affects Ivanti Connect Secure prior to version 22.7R2.3 and Ivanti Policy Secure prior to version 22.7R1.2. The flaw is not applicable to the 9.1Rx branch. It carries a CVSS 3.1 base score of 9.1, reflecting a network-accessible attack with low complexity that requires high privileges yet can impact confidentiality, integrity, and availability across security boundaries.
A remote authenticated attacker holding administrative privileges can supply crafted input that results in arbitrary command execution on the affected appliance, enabling full remote code execution.
The December 2024 Ivanti security advisory provides official guidance on affected releases and remediation steps for both products.
EPSS for the CVE reached a peak of 0.2131 after disclosure before settling at the current value of 0.1423, indicating a clear rise in exploitation interest that warrants renewed attention from defenders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34148
Vulnerability details
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.