February 12, 2025 By Bill Toulas
Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
The company learned about the flaws through its responsible disclosure program from security researchers at CISA and Akamai, and through the HackerOne bug bounty platform.
Ivanti notes in the security bulletin that it received no reports about any of the issues being actively exploited in the wild. However, it it recommends that users install the security updates as soon as possible.
The three critical security vulnerabilities Ivanti patched are the following:
- CVE-2025-22467: Stack-based buffer overflow in ICS allows remote authenticated attackers with low privileges to execute code. (critical severity score of 9.9)
- CVE-2024-38657: External control of a filename enables remote authenticated attackers to perform arbitrary file writing in ICS and IPS. (critical severity score of 9.1)
- CVE-2024-10644: Code injection vulnerability enables remote authenticated attackers remote code execution in ICS and IPS. (critical severity score of 9.1)
