Ivanti has launched security updates for Ivanti Join Safe (ICS), Ivanti Coverage Safe (IPS), and Ivanti Safe Entry Shopper (ISAC) to handle a number of vulnerabilities, together with three crucial severity issues.
The corporate discovered concerning the flaws by its accountable disclosure program from security researchers at CISA and Akamai, and thru the HackerOne bug bounty platform.
Ivanti notes within the security bulletin that it obtained no stories about any of the problems being actively exploited within the wild. Nevertheless, it it recommends that customers set up the security updates as quickly as potential.
The three crucial security vulnerabilities Ivanti patched are the next:
- CVE-2025-22467: Stack-based buffer overflow in ICS permits distant authenticated attackers with low privileges to execute code. (crucial severity rating of 9.9)
- CVE-2024-38657: Exterior management of a filename allows distant authenticated attackers to carry out arbitrary file writing in ICS and IPS. (crucial severity rating of 9.1)
- CVE-2024-10644: Code injection vulnerability allows distant authenticated attackers distant code execution in ICS and IPS. (crucial severity rating of 9.1)
Exploiting any of the three points is feasible from a distant location however an attacker must be authenticated. Moreover, for 2 of them admin privileges are obligatory to realize distant code execution or to jot down arbitrary recordsdata.
Regardless of this, the chance remains to be appreciable as insider threats or attackers who’ve stolen credentials by way of phishing, earlier breaches, or by way of brute forcing passwords, can nonetheless leverage the failings for malicious operations.
There are additionally 5 extra flaws included within the bulletin, starting from medium to excessive severity. Points embrace cross-site scripting (XSS) points, hardcoded keys, cleartext storage of delicate information, and inadequate permissions.
The vulnerabilities impression ICS 22.7R2.5 and older, IPS 22.7R1.2 and older, and ISAC 22.7R4 and under. Particulars about which merchandise are impacted by every flaw will be seen within the desk under.
The problems had been addressed in ICS model 22.7R2.6, IPS model 22.7R1.3, and ISAC 22.8R1, that are the really useful improve targets for system directors.
Ivanti has additionally acknowledged that the difficulty additionally impacts Pulse Join Safe 9.x, however said it doesn’t plan to supply fixes for these merchandise as their help interval has ended,
“The Pulse Join Safe 9.x model of the product reached Finish of Engineering June 2024 and has reached Finish-of-Help as of December 31, 2024,” Ivanti explains.
“Due to this, the 9.x model of Join Safe now not receives backported fixes,” the corporate added, encouraging clients to improve to model 22.7 of Ivanti Join Safe.
Ivanti has not offered any mitigations for the patched flaws and making use of the most recent replace is the really useful resolution.
