CVE-2024-39712
Published: 13 November 2024
Summary
CVE-2024-39712 is a critical-severity Argument Injection (CWE-88) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2024-39712 is an argument injection issue, tracked as CWE-88, that affects Ivanti Connect Secure prior to versions 22.7R2.1 and 9.1R18.7 as well as Ivanti Policy Secure prior to version 22.7R1.1. It received a CVSS 3.0 score of 9.1 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability under changed scope.
A remote authenticated attacker holding administrative privileges can supply crafted arguments to trigger the flaw and obtain remote code execution on the target appliance.
Ivanti has published a security advisory covering this issue along with related CVEs at https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs.
The EPSS probability reached a peak of 0.1910 before settling at the current value of 0.1241, indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38339
Vulnerability details
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.