Ivanti Releases Critical Security Updates for Connect Secure and Policy Secure to Address High-Risk Vulnerabilities.
Ivanti has issued urgent security patches to fix multiple high-severity vulnerabilities affecting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA). These flaws could allow attackers to execute arbitrary code, posing a serious risk to affected systems.
Key Vulnerabilities:
CVE-2024-38657 (CVSS 9.1) – A flaw in file name control allows authenticated administrators to write arbitrary files in Ivanti Connect Secure (pre-22.7R2.4) and Ivanti Policy Secure (pre-22.7R1.3).
CVE-2025-22467 (CVSS 9.9) – A stack-based buffer overflow in Ivanti Connect Secure (pre-22.7R2.6) enables remote attackers to achieve remote code execution (RCE).
CVE-2024-10644 (CVSS 9.1) – A code injection vulnerability in Ivanti Connect Secure (pre-22.7R2.4) and Ivanti Policy Secure (pre-22.7R1.3) allows attackers with admin privileges to execute arbitrary code remotely.
CVE-2024-47908 (CVSS 9.1) – An OS command injection flaw in the admin web console of Ivanti CSA (pre-5.0.5) could let attackers with admin access execute remote commands on the system.
What you should do
Ivanti users are strongly advised to apply the latest security updates immediately to mitigate the risk of exploitation. Organizations should also review network access policies, monitor for unusual activity, and restrict administrative access to minimize exposure.
Cybersecurity researchers warn that attackers are actively scanning for vulnerable systems, making timely patching critical in preventing potential breaches.
Ivanti has addressed several serious security flaws in its Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) products that could lead to remote code execution if exploited by attackers. These issues have been resolved in the following versions:
Ivanti Connect Secure 22.7R2.6
Ivanti Policy Secure 22.7R1.3
Ivanti CSA 5.0.5
The company has stated that it is not aware of any active exploits in the wild at this time. However, given the repeated targeting of Ivanti appliances by cybercriminals, it is critical for users to promptly apply the latest security patches to avoid potential breaches.
In a related update, JPCERT/CC reported that a previously patched vulnerability (CVE-2025-0282) in Ivanti Connect Secure was being exploited to distribute a new variant of the SPAWN malware framework, called SPAWNCHIMERA.
SPAWNCHIMERA is a sophisticated malware combining features from previous versions of SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. The malware introduces new changes such as using UNIX domain sockets for inter-process communication and attempting to patch the vulnerability itself to block other actors from exploiting it.
Ivanti has acknowledged that its products have been targeted by highly sophisticated threat actors, particularly nation-state groups looking to launch espionage campaigns against high-value organizations.
To combat these advanced attacks, Ivanti has stepped up its security efforts, including:
Enhancing internal scanning capabilities
Conducting more comprehensive exploitation testing
Strengthening collaboration with the security community
Becoming a CVE Numbering Authority to improve its responsible disclosure process
The cybersecurity community has also been alerted to another high-severity vulnerability in SonicWall SonicOS (CVE-2024-53704), which can be exploited to bypass authentication on firewalls. This could allow attackers to hijack active SSL VPN sessions, granting them unauthorized access to corporate networks.
As of February 7, 2025, nearly 4,500 internet-facing SonicWall SSL VPN servers remain unpatched and vulnerable to this attack.
With cyberattacks becoming increasingly sophisticated, users of Ivanti and SonicWall products should prioritize applying the latest security patches to safeguard against these critical vulnerabilities. Regular patch management, proactive monitoring, and collaborating with the cybersecurity community remain essential strategies in defending against evolving threats.
In a similar move, Akamai has published its discovery of two vulnerabilities in Fortinet FortiOS (CVE-2024-46666 and CVE-2024-46668) that an unauthenticated attacker can exploit to achieve denial-of-service (DoS) and remote code execution. The flaws were resolved by Fortinet on January 14, 2025.
Fortinet has since also revised its advisory for CVE-2024-55591 to highlight another flaw tracked as CVE-2025-24472 (CVSS score: 8.1) that could result in an authentication bypass in FortiOS and FortiProxy devices via a specially crafted CSF proxy request.
The company credited watchTowr Labs researcher Sonny Macdonald for discovering and reporting the flaw. It's worth noting that the vulnerability has already been patched alongside CVE-2024-55591, meaning no customer action is required if fixes for the latter have already been applied.
Both CVEs cover the same vulnerability but on a different endpoint," Benjamin Harris, CEO of watchTowr, told The Hacker News. "There is one management interface, however this management interface has effectively three sub interfaces.
"The original CVE-2024-55591 vulnerability was scoped to an authentication bypass in only one of these sub interfaces. The 'new' CVE that was disclosed yesterday reflects the same authentication bypass in a different sub interface. The root cause is the same and the same patch resolves CVE-2025-24472
