CVE-2024-21888

Published: Jan 31, 2024Modified: Jun 3, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Affected (106)

Products: Ivanti: Connect Secure, Policy Secure

Ivanti

2 products

Connect Secure

Policy Secure

Configuration A

106 vulnerable

Vulnerable Software	Affected Versions
Ivanti Connect Secure	Version 21.12 r1
Ivanti Connect Secure	Version 21.9 r1
Ivanti Connect Secure	Version 22.1 r1
Ivanti Connect Secure	Version 22.1 r6
Ivanti Connect Secure	Version 22.2
Ivanti Connect Secure	Version 22.2 r1
Ivanti Connect Secure	Version 22.3 r1
Ivanti Connect Secure	Version 22.4 r1
Ivanti Connect Secure	Version 22.4 r2.1
Ivanti Connect Secure	Version 22.6
Ivanti Connect Secure	Version 22.6 r1
Ivanti Connect Secure	Version 22.6 r2.1
Ivanti Connect Secure	Version 22.6 r2
Ivanti Connect Secure	Version 9.0
Ivanti Connect Secure	Version 9.0 r1
Ivanti Connect Secure	Version 9.0 r2.1
Ivanti Connect Secure	Version 9.0 r2
Ivanti Connect Secure	Version 9.0 r3.1
Ivanti Connect Secure	Version 9.0 r3.2
Ivanti Connect Secure	Version 9.0 r3.3
Ivanti Connect Secure	Version 9.0 r3.5
Ivanti Connect Secure	Version 9.0 r3
Ivanti Connect Secure	Version 9.0 r4.1
Ivanti Connect Secure	Version 9.0 r4
Ivanti Connect Secure	Version 9.0 r5.0
Ivanti Connect Secure	Version 9.0 r6.0
Ivanti Connect Secure	Version 9.1 r10
Ivanti Connect Secure	Version 9.1 r11.3
Ivanti Connect Secure	Version 9.1 r11.4
Ivanti Connect Secure	Version 9.1 r11.5
Ivanti Connect Secure	Version 9.1 r11
Ivanti Connect Secure	Version 9.1 r12.1
Ivanti Connect Secure	Version 9.1 r12
Ivanti Connect Secure	Version 9.1 r13.1
Ivanti Connect Secure	Version 9.1 r13
Ivanti Connect Secure	Version 9.1 r14
Ivanti Connect Secure	Version 9.1 r15.2
Ivanti Connect Secure	Version 9.1 r15
Ivanti Connect Secure	Version 9.1 r16.1
Ivanti Connect Secure	Version 9.1 r16
Ivanti Connect Secure	Version 9.1 r17.1
Ivanti Connect Secure	Version 9.1 r17
Ivanti Connect Secure	Version 9.1 r18.1
Ivanti Connect Secure	Version 9.1 r18.2
Ivanti Connect Secure	Version 9.1 r18
Ivanti Connect Secure	Version 9.1 r1
Ivanti Connect Secure	Version 9.1 r2
Ivanti Connect Secure	Version 9.1 r3
Ivanti Connect Secure	Version 9.1 r4.1
Ivanti Connect Secure	Version 9.1 r4.2
Ivanti Connect Secure	Version 9.1 r4.3
Ivanti Connect Secure	Version 9.1 r4
Ivanti Connect Secure	Version 9.1 r5
Ivanti Connect Secure	Version 9.1 r6
Ivanti Connect Secure	Version 9.1 r7
Ivanti Connect Secure	Version 9.1 r8.1
Ivanti Connect Secure	Version 9.1 r8.2
Ivanti Connect Secure	Version 9.1 r8
Ivanti Connect Secure	Version 9.1 r9.1
Ivanti Connect Secure	Version 9.1 r9
Ivanti Policy Secure	Version 22.1 r1
Ivanti Policy Secure	Version 22.1 r6
Ivanti Policy Secure	Version 22.2 r1
Ivanti Policy Secure	Version 22.2 r3
Ivanti Policy Secure	Version 22.3 r1
Ivanti Policy Secure	Version 22.3 r3
Ivanti Policy Secure	Version 22.4 r1
Ivanti Policy Secure	Version 22.4 r2.1
Ivanti Policy Secure	Version 22.4 r2
Ivanti Policy Secure	Version 22.5 r1
Ivanti Policy Secure	Version 22.6 r1
Ivanti Policy Secure	Version 9.0
Ivanti Policy Secure	Version 9.0 r1
Ivanti Policy Secure	Version 9.0 r2.1
Ivanti Policy Secure	Version 9.0 r2
Ivanti Policy Secure	Version 9.0 r3.1
Ivanti Policy Secure	Version 9.0 r3
Ivanti Policy Secure	Version 9.0 r4
Ivanti Policy Secure	Version 9.1
Ivanti Policy Secure	Version 9.1 r10
Ivanti Policy Secure	Version 9.1 r11
Ivanti Policy Secure	Version 9.1 r12
Ivanti Policy Secure	Version 9.1 r13.1
Ivanti Policy Secure	Version 9.1 r13
Ivanti Policy Secure	Version 9.1 r14
Ivanti Policy Secure	Version 9.1 r15
Ivanti Policy Secure	Version 9.1 r16
Ivanti Policy Secure	Version 9.1 r17
Ivanti Policy Secure	Version 9.1 r18.1
Ivanti Policy Secure	Version 9.1 r18.2
Ivanti Policy Secure	Version 9.1 r18
Ivanti Policy Secure	Version 9.1 r1
Ivanti Policy Secure	Version 9.1 r2
Ivanti Policy Secure	Version 9.1 r3.1
Ivanti Policy Secure	Version 9.1 r3
Ivanti Policy Secure	Version 9.1 r4.1
Ivanti Policy Secure	Version 9.1 r4.2
Ivanti Policy Secure	Version 9.1 r4.3
Ivanti Policy Secure	Version 9.1 r4
Ivanti Policy Secure	Version 9.1 r5
Ivanti Policy Secure	Version 9.1 r6
Ivanti Policy Secure	Version 9.1 r7
Ivanti Policy Secure	Version 9.1 r8.1
Ivanti Policy Secure	Version 9.1 r8.2
Ivanti Policy Secure	Version 9.1 r8
Ivanti Policy Secure	Version 9.1 r9

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Source: support@hackerone.com

Vendor Advisory

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.