CVE-2024-37400
Published: 13 November 2024
Summary
CVE-2024-37400 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An out-of-bounds read vulnerability, tracked as CVE-2024-37400 and assigned CWE-125, affects Ivanti Connect Secure prior to version 22.7R2.3. The flaw carries a CVSS 3.0 base score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction, with the impact limited to high availability loss.
A remote unauthenticated attacker can send crafted network traffic to trigger an infinite loop in the affected component, resulting in a denial-of-service condition that disrupts service availability without any data exposure or integrity impact.
The referenced Ivanti security advisory addresses this issue alongside multiple related CVEs and provides guidance on mitigation, including upgrade to the fixed release 22.7R2.3.
The associated EPSS score has remained flat at 0.0501 with no material increase since disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36636
Vulnerability details
An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.