Cyber Resilience

CVE-2024-21894

Critical

Published: 04 April 2024

Published
04 April 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0794 92.2th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21894 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Ivanti Policy Secure. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A heap overflow vulnerability exists in the IPSec component of Ivanti Connect Secure versions 9.x and 22.x as well as Ivanti Policy Secure. The flaw, tracked as CVE-2024-21894, is triggered when the service processes specially crafted network requests and is assigned a CVSS score of 9.8. It is also associated with CWE-787 and CWE-703.

An unauthenticated remote attacker can send malicious requests to the affected gateways, causing the IPSec service to crash and resulting in a denial of service. Under certain conditions the same flaw may permit arbitrary code execution.

Ivanti has published security advisory SA-CVE-2024-21894 (along with related issues CVE-2024-22052, CVE-2024-22053, and CVE-2024-22023) that addresses the heap overflow and provides remediation guidance for Connect Secure and Policy Secure customers.

EPSS for the CVE rose from a low baseline to a peak of 0.1103 on 2025-12-11 before receding to the current value of 0.0794, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this…

more

may lead to execution of arbitrary code

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
22.1, 22.2, 22.3, 22.4, 22.5
ivanti
policy secure
22.1, 22.2, 22.3, 22.4, 22.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-703

Implements explicit check and handling for the exceptional condition of audit logging process failure.

addresses: CWE-703

Establishing and monitoring system metrics with correlation and response actions helps identify and address improper handling of exceptional conditions.

addresses: CWE-703

Provides a defined response to detected conditions by restricting operation, ensuring exceptional conditions are handled rather than ignored or mishandled.

addresses: CWE-703

Contingency training equips users with defined procedures to check and respond to exceptional conditions during disruptions, reducing exploitation of mishandled errors.

addresses: CWE-703

Testing verifies the system's ability to detect, handle, and recover from exceptional conditions as part of the plan, reducing exploitability of improper exception handling.

addresses: CWE-703

Regular updates keep contingency procedures aligned with system changes, providing structured handling for exceptional conditions that would otherwise allow unmitigated exploitation.

addresses: CWE-703

Policy defines checks and handling for exceptional conditions arising from security incidents.

addresses: CWE-703

Performing IR tests ensures exceptional conditions are properly checked and handled to enable effective response.

References