Hardcoded Secret Vulnerability in Ivanti DSM Software
CVE-2024-38648

9CRITICAL

Key Information:

Vendor: Ivanti
Status: Dsm
Vendor: CVE Published:; 12 July 2025

What is CVE-2024-38648?

A vulnerability exists in Ivanti DSM prior to version 2024.2 due to the presence of a hardcoded secret. This design flaw enables an authenticated attacker on an adjacent network to decrypt sensitive information, potentially exposing user credentials and other confidential data. Organizations using this software are urged to review their security measures and upgrade to the latest version to mitigate risks associated with this vulnerability.

Affected Version(s)

DSM 2024.2

References

https://forums.ivanti.com/s/article/SA-2024-07-12-CVE-202...

CVSS V3.0

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2025
Vulnerability Reserved
Jun 19, 2024