CVE-2024-21894

CRITICAL EXPLOITED

Ivanti Connect Secure - Out-of-Bounds Write

Title source: rule

Description

A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code

Exploits (1)

inthewild

poc

https://github.com/ransomgroupcve/cve-2024-21894-poc

View on inthewild

References (1)

[Vendor Advisory] https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Scores

CVSS v3 9.8

EPSS 0.0944

EPSS Percentile 92.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-10-30

CWE

CWE-703 CWE-787

Status published

Products (9)

ivanti/connect_secure 9.1 r1 (22 CPE variants)

ivanti/connect_secure 22.1

ivanti/connect_secure 22.2

ivanti/connect_secure 22.3

ivanti/connect_secure 22.4

ivanti/connect_secure 22.5

ivanti/connect_secure 22.6

ivanti/policy_secure 9.0 (7 CPE variants)

ivanti/policy_secure 9.1 (15 CPE variants)

Published Apr 04, 2024

Tracked Since Feb 18, 2026