CVE-2024-22052

HIGH

Ivanti Connect/Ivanti Policy <9.x, 22.x - DoS

Title source: llm

Description

A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack

References (1)

[Vendor Advisory] https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Scores

CVSS v3 7.5

EPSS 0.0415

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-703 CWE-476

Status published

Products (9)

ivanti/connect_secure 9.1 r1 (22 CPE variants)

ivanti/connect_secure 22.1

ivanti/connect_secure 22.2

ivanti/connect_secure 22.3

ivanti/connect_secure 22.4

ivanti/connect_secure 22.5

ivanti/connect_secure 22.6

ivanti/policy_secure 9.0 (7 CPE variants)

ivanti/policy_secure 9.1 (15 CPE variants)

Published Apr 04, 2024

Tracked Since Feb 18, 2026