Ivanti has swiftly addressed four critical security vulnerabilities affecting its Connect Secure and Policy Secure Gateways, releasing urgent patches to mitigate potential risks of code execution and denial-of-service (DoS) attacks. These flaws, including heap overflow and null pointer dereference vulnerabilities in the IPSec component, pose significant threats to unauthenticated users. The company’s proactive response underscores the importance of prompt patching to prevent exploitation by malicious actors.
The vulnerabilities, assigned CVE identifiers and CVSS scores, highlight the severity of the security risks associated with Ivanti’s gateway products. Notably, flaws such as heap overflow and null pointer dereference in the IPSec component can be exploited by unauthenticated malicious users to crash the service and potentially execute arbitrary code. Additionally, an XML entity expansion vulnerability in the SAML component allows attackers to cause temporary resource exhaustion, resulting in a limited-time DoS.
Despite not reporting any instances of customer exploitation at the time of disclosure, Ivanti remains vigilant in addressing security vulnerabilities across its product portfolio. The company’s commitment to enhancing its security posture and adopting secure-by-design principles reflects a proactive approach to mitigating emerging threats. With ongoing efforts to intensify internal scanning, testing capabilities, and engagement with third-party researchers, Ivanti aims to bolster its defenses and ensure customer protection in an evolving threat landscape.
