CVE-2024-37377

Published: Dec 12, 2024Modified: Jul 2, 2025

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: support@hackerone.com (Secondary)

Description

A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.

Affected (16)

Products: Ivanti: Connect Secure, Policy Secure

Ivanti

2 products

Connect Secure

Policy Secure

Configuration A

16 vulnerable

Vulnerable Software	Affected Versions
Ivanti Connect Secure	Before 22.7
Ivanti Connect Secure	Version 22.7
Ivanti Connect Secure	Version 22.7 r1.1
Ivanti Connect Secure	Version 22.7 r1.2
Ivanti Connect Secure	Version 22.7 r1.3
Ivanti Connect Secure	Version 22.7 r1.4
Ivanti Connect Secure	Version 22.7 r1.5
Ivanti Connect Secure	Version 22.7 r1
Ivanti Connect Secure	Version 22.7 r2.1
Ivanti Connect Secure	Version 22.7 r2.2
Ivanti Connect Secure	Version 22.7 r2.3
Ivanti Connect Secure	Version 22.7 r2
Ivanti Policy Secure	Before 22.7
Ivanti Policy Secure	Version 22.7
Ivanti Policy Secure	Version 22.7 r1.1
Ivanti Policy Secure	Version 22.7 r1

Related CWEs

CWE-787

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (1)

https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs

Source: support@hackerone.com

Vendor Advisory

Timeline

No history available yet.