Cyber Resilience

CVE-2024-11634

CriticalRCE

Published: 10 December 2024

Published
10 December 2024
Modified
17 January 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1423 94.5th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11634 is a critical-severity Command Injection (CWE-77) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-11634 is a command injection vulnerability, tracked under CWE-77, that affects Ivanti Connect Secure prior to version 22.7R2.3 and Ivanti Policy Secure prior to version 22.7R1.2. The flaw is not applicable to the 9.1Rx branch. It carries a CVSS 3.1 base score of 9.1, reflecting a network-accessible attack with low complexity that requires high privileges yet can impact confidentiality, integrity, and availability across security boundaries.

A remote authenticated attacker holding administrative privileges can supply crafted input that results in arbitrary command execution on the affected appliance, enabling full remote code execution.

The December 2024 Ivanti security advisory provides official guidance on affected releases and remediation steps for both products.

EPSS for the CVE reached a peak of 0.2131 after disclosure before settling at the current value of 0.1423, indicating a clear rise in exploitation interest that warrants renewed attention from defenders.

EU & UK References

Vulnerability details

Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
22.7 · ≤ 22.7
ivanti
policy secure
22.7 · ≤ 22.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References