--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'DoS Vulnerabilities in Pulse Secure Products' version: '1.0' number: '2022-074' original_date: 'October 13, 2022' date: 'October 27, 2022' --- _History:_ * _27/10/2022 --- v1.0 -- Initial publication_ # Summary On October 13, 2022, Ivanti released an advisory regarding two vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero-Trust Gateway that could lead to DoS conditions if exploited [1]. It is recommended to upgrade to the latest version of these products. # Technical Details Ivanti did not release much technical details about the vulnerabilities, identified by `CVE-2022-35254`, and `CVE-2022-35258`, with CVSS scores of 7.5 out of 10. Nevertheless, the company specified that the vulnerabilities could lead to Denial-of-Service (DoS) conditions if exploited. Based on the CVSS scores, we can guess that the vulnerabilities could be exploited remotely and fairly easily. # Affected Products **CVE-2022-35254** and **CVE-2022-35258** affect: - Ivanti Policy Secure 9.1R16, 22.2R1 and below - Ivanti Neurons for Zero-Trust Gateway 22.2R1 and below - Ivanti Connect Secure 9.1R16.1, 22.2R1 and below The Ivanti Neurons for Secure Access was affected by both vulnerabilities. Ivanti upgraded the hosted controller and completed the upgrade on October 9, 2022. There is no action for customers to take regarding the Ivanti Neurons for Secure Access Controller. # Recommendations CERT-EU recommends updating the affected systems to the latest version. # References [1]