Cyber Resilience

CVE-2024-39712

Critical

Published: 13 November 2024

Published
13 November 2024
Modified
11 July 2025
KEV Added
Patch
CVSS Score v3 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1241 94.1th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39712 is a critical-severity Argument Injection (CWE-88) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2024-39712 is an argument injection issue, tracked as CWE-88, that affects Ivanti Connect Secure prior to versions 22.7R2.1 and 9.1R18.7 as well as Ivanti Policy Secure prior to version 22.7R1.1. It received a CVSS 3.0 score of 9.1 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability under changed scope.

A remote authenticated attacker holding administrative privileges can supply crafted arguments to trigger the flaw and obtain remote code execution on the target appliance.

Ivanti has published a security advisory covering this issue along with related CVEs at https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs.

The EPSS probability reached a peak of 0.1910 before settling at the current value of 0.1241, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
22.7 · ≤ 22.7
ivanti
policy secure
22.7 · ≤ 22.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References