Flaws in third-party parts
Ivanti notes that the vulnerabilities are situated in two open-source libraries used within the product. As a result of the failings haven’t but been introduced within the libraries themselves, the corporate determined to not title them for now however is working with their maintainers.
One of many flaws, CVE-2025-4428, is an arbitrary code execution situation, however as a result of it requires authentication to use, it has solely a 7.2 (excessive severity) rating on the CVSS scale. The opposite vulnerability is an authentication bypass that gives unauthenticated attackers with entry to protected sources and is rated solely as medium severity with a rating of 5.3.
Nonetheless, the authentication bypass is precisely what’s wanted to show the affect of the primary flaw from excessive to vital, as a result of it allows its exploitation with out authentication, eradicating the one limiting issue. It is a good instance of why severity scores shouldn’t be the one standards for prioritizing patches, however some decrease severity flaws will be mixed to realize way more potent assaults.
