CVE-2024-10644

Critical

Published: 11 February 2025

Published

11 February 2025

Modified

14 July 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0684 91.4th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Security Summary

CVE-2024-10644 is a code injection vulnerability (CWE-94) affecting Ivanti Connect Secure prior to version 22.7R2.4 and Ivanti Policy Secure prior to version 22.7R1.3. Published on February 11, 2025, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote code execution.

The vulnerability can be exploited by a remote authenticated attacker possessing administrative privileges. Successful exploitation enables remote code execution on the targeted system, with changed scope allowing potential compromise beyond the vulnerable component.

Ivanti's February Security Advisory, available at https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs, addresses this CVE alongside others. Mitigation requires upgrading to Ivanti Connect Secure version 22.7R2.4 or later and Ivanti Policy Secure version 22.7R1.3 or later.

Details

CWE(s): CWE-94

Affected Products

ivanti

connect secure

22.7 · ≤ 22.7

ivanti

policy secure

22.7 · ≤ 22.7

References

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75