Cyber Resilience

CVE-2024-37404

High

Published: 18 October 2024

Published
18 October 2024
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8435 99.3th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37404 is a high-severity an unspecified weakness vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-37404 is an improper input validation flaw in the admin portal of Ivanti Connect Secure (prior to versions 22.7R2.1 and 9.1R18.9) and Ivanti Policy Secure (prior to 22.7R1.1). The vulnerability carries a CVSS 3.1 score of 8.8 and permits remote code execution when successfully triggered.

A remote attacker who already possesses valid administrative credentials can supply crafted input through the admin portal to execute arbitrary code on the affected appliance. The attack requires no user interaction and can be launched over the network with low complexity.

Ivanti has published a security advisory detailing the issue and the fixed releases. The current EPSS score of 0.8435 (with a recorded peak of 0.8719) indicates substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
22.7, 9.1 · ≤ 9.1 · 22.3 — 22.7
ivanti
policy secure
22.7 · ≤ 22.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References