Cyber Resilience

CVE-2024-37377

High

Published: 12 December 2024

Published
12 December 2024
Modified
02 July 2025
KEV Added
Patch
CVSS Score v3 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0468 89.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37377 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A heap-based buffer overflow vulnerability, tracked as CVE-2024-37377 and assigned CWE-787, exists in the IPsec component of Ivanti Connect Secure versions prior to 22.7R2.3. The flaw carries a CVSS 3.0 base score of 7.5 and permits remote, unauthenticated network access that results in a high-impact denial of service while leaving confidentiality and integrity unaffected.

An attacker positioned on the network can send crafted IPsec traffic to trigger the overflow, causing the affected service to crash and thereby disrupting VPN connectivity for legitimate users without requiring authentication or user interaction.

The December 2024 Ivanti security advisory covers this issue together with other CVEs affecting Connect Secure and Policy Secure. The associated EPSS score reached a peak of 0.0640 on 2026-02-03 after starting from a lower value and has since receded to 0.0468, indicating a period of increased exploitation interest following disclosure.

EU & UK References

Vulnerability details

A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
22.7 · ≤ 22.7
ivanti
policy secure
22.7 · ≤ 22.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References