CVE-2024-37377
Published: 12 December 2024
Summary
CVE-2024-37377 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A heap-based buffer overflow vulnerability, tracked as CVE-2024-37377 and assigned CWE-787, exists in the IPsec component of Ivanti Connect Secure versions prior to 22.7R2.3. The flaw carries a CVSS 3.0 base score of 7.5 and permits remote, unauthenticated network access that results in a high-impact denial of service while leaving confidentiality and integrity unaffected.
An attacker positioned on the network can send crafted IPsec traffic to trigger the overflow, causing the affected service to crash and thereby disrupting VPN connectivity for legitimate users without requiring authentication or user interaction.
The December 2024 Ivanti security advisory covers this issue together with other CVEs affecting Connect Secure and Policy Secure. The associated EPSS score reached a peak of 0.0640 on 2026-02-03 after starting from a lower value and has since receded to 0.0468, indicating a period of increased exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36999
Vulnerability details
A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.