---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies    
title: 'Critical Vulnerability in Ivanti Products'
number: '2024-110'
version: '1.0'
original_date: '2024-10-08'
date: '2024-10-15'
---

_History:_

* _15/10/2024 --- v1.0 -- Initial publication_

# Summary

On October 8, 2024, Ivanti addressed a critical vulnerability in Ivanti Connect Secure and Ivanti Policy Secure [1].

# Technical Details

The vulnerability **CVE-2024-37404**, with a CVSS score of 9.1, is an improper input validation in the admin portal that allows a remote authenticated attacker to achieve remote code execution.

# Affected Products

- Ivanti Connect Secure: All versions before 22.7R2.1
- Ivanti Connect Secure: All versions before 9.1R18.9
- Ivanti Policy Secure: All versions before 22.7R1.1

# Recommendations

CERT-EU strongly recommends updating affected devices as soon as possible [1].

# References 

[1] <https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-and-Policy-Secure-CVE-2024-37404>