CVE-2024-8495
Published: 12 November 2024
Summary
CVE-2024-8495 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A null pointer dereference vulnerability tracked as CVE-2024-8495 affects Ivanti Connect Secure prior to version 22.7R2.1 and Ivanti Policy Secure prior to version 22.7R1.1. The flaw, assigned CWE-476 and carrying a CVSS 3.1 base score of 7.5, resides in the network-accessible components of these appliances and can be triggered without any authentication or user interaction.
A remote unauthenticated attacker can send specially crafted network requests to trigger the null pointer dereference, resulting in a denial-of-service condition that disrupts availability of the affected service while leaving confidentiality and integrity unaffected.
The official Ivanti security advisory addresses this issue alongside other CVEs in the same products and directs administrators to apply the fixed releases 22.7R2.1 for Connect Secure and 22.7R1.1 for Policy Secure. The advisory also outlines additional hardening steps and upgrade paths for related Ivanti Secure Access Client components.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49546
Vulnerability details
A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.