At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products. We continue to invest significant resources to ensure that all our solutions continue to meet our own high standards. In the best interests of our customers, we are always investigating, assessing, monitoring, and validating the security posture of our solutions. We collaborate with the broader security ecosystem to share intelligence and appreciate when we are made aware of issues via responsible disclosure from reputable sources.

As part of our ongoing strengthening of the security of our products we have discovered new vulnerabilities in Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. We are reporting these vulnerabilities as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities impact all supported versions of the products. Mitigations are available now.

Update 1 February: A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.

Update 31 January: A patch is now available via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), and ZTA version 22.6R1.3. Additionally, as part of our ongoing investigation new vulnerabilities have been identified that we are reporting as CVE-2024-21888 and CVE-2024-21893. More information on the CVEs can be found in this Security Advisory

CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 are all remediated with the patch. There is also a new mitigation available to address the new vulnerabilities while the rest of the patches are in development to prioritize the best interest of our customers. Customers who have applied the patch do not need to apply the mitigation.

These vulnerabilities do not impact any other Ivanti products or solutions.

More information on the originally disclosed CVEs and detailed instructions on patch availability and how to mitigate the vulnerabilities can be found in this Security Advisory.

Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).

Ivanti would like to thank Volexity and Mandiant for their assistance in identifying and reporting the issue in Ivanti Policy Secure and Ivanti Connect Secure.

Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.