Ivanti on Thursday announced patches for a high-severity vulnerability impacting enterprise VPN and network access products.
Tracked as CVE-2024-22024 and described as an XML external entity issue, the security defect was identified in the SAML component of Ivanti Connect Secure, Policy Secure, and ZTA gateway appliances.
According to Ivanti, the successful exploitation of the bug could allow an unauthenticated attacker to access certain restricted resources.
Ivanti also notes that patches released on January 31 to address two zero-day vulnerabilities exploited in attacks against government and military entities, along with four other security defects in its enterprise VPN products, mitigate CVE-2024-22024 as well.
Although it has no evidence of CVE-2024-22024 being exploited against its customers, Ivanti urges them to ensure they have the latest patches.
Customers who applied the January 31 or February 1 patches and factory reset their VPN appliances do not need to perform another factory reset, the company notes.
While Ivanti says in its advisory that the vulnerability was identified internally, attack surface management firm WatchTowr claims that its researchers found it and reported it to Ivanti on February 2.
Ivanti, WatchTowr says, initially assigned a 2023 CVE to the bug, but later told the security firm that the issue is tracked as CVE-2024-22024.
This Cyber News was published on www.securityweek.com. Publication date: Fri, 09 Feb 2024 14:13:03 +0000