Privilege Escalation Vulnerability Affects Ivanti Connect Secure and Policy Secure

CVE-2024-21888

8.8HIGH

Key Information

Vendor: Ivanti
Status: ICS; IPS
Vendor: CVE Published:; 31 January 2024

Badges

👾 Exploit Exists📰 News Worthy

Summary

A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Affected Version(s)

ICS <= 9.1R18

ICS <= 22.6R2

IPS <= 9.1R18

News Articles

The Record by Recorded Future

CVE-2024-21888CVE-2024-21893

Two new Ivanti bugs discovered as CISA warns of hackers bypassing mitigations

IT company Ivanti said this week that it discovered two new vulnerabilities affecting its products while investigating bugs discovered earlier in the month.

10 months ago

Cyber Kendra

CVE-2024-21893CVE-2024-21888

Two New Zero-Day Flaws Disclosed in Ivanti Products, One Under Active Exploitation - Cyber Kendra

Two New Zero-Day Flaws Disclosed in Ivanti Products, One Under Active Exploitation

10 months ago

Duo Security

CVE-2024-21888CVE-2024-21893

Ivanti Rolls Out Patches For Exploited Connect Secure Flaws

Ivanti has rolled out its first round of patches for two existing - and two newly discovered - vulnerabilities in its Ivanti Connect Secure VPN and Ivanti Policy Secure appliances.

10 months ago

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Feb 1, 2024
First article discovered by Dark Reading
Jan 31, 2024
Vulnerability published.
Jan 31, 2024
Vulnerability Reserved.
Jan 3, 2024

Collectors

NVD DatabaseMitre Database5 News Article(s)