CISA Known Exploited Vulnerability (KEV)
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
January 10, 2024
January 22, 2024
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
References
Weakness Enumeration
CWE-ID | CWE Name |
---|---|
CWE-77 |
Improper Neutralization of Special Elements used in a Command (‘Command Injection’) |