CVE-2024-10644 in Connect Secure
Summary
by MITRE • 02/11/2025
Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2025
The vulnerability identified as CVE-2024-10644 represents a critical code injection flaw affecting Ivanti Connect Secure and Ivanti Policy Secure platforms. This security weakness exists in versions prior to 22.7R2.4 for Connect Secure and 22.7R1.3 for Policy Secure, creating a significant risk for organizations utilizing these network security solutions. The vulnerability specifically targets the authentication and authorization mechanisms within these systems, allowing an attacker with administrative privileges to execute arbitrary code remotely.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the affected Ivanti products. When administrative users interact with the system's management interfaces, the platform fails to properly validate or escape user-supplied data before processing it within the application's execution context. This code injection vector enables attackers to inject malicious commands that are then executed with the privileges of the administrative account. The flaw falls under the CWE-94 category of "Improper Control of Generation of Code" which specifically addresses situations where applications fail to properly control code generation and execution. The vulnerability's impact is amplified by the fact that it requires only administrative authentication, which is typically limited to trusted personnel but can be compromised through various attack vectors.
The operational implications of this vulnerability are severe and far-reaching for organizations relying on Ivanti security solutions. Remote code execution capabilities allow attackers to completely compromise the affected systems, potentially leading to full network infiltration, data exfiltration, and persistent backdoor establishment. Once an attacker achieves administrative access through this vulnerability, they can manipulate network traffic controls, modify security policies, and potentially pivot to other systems within the network infrastructure. This vulnerability directly aligns with several tactics outlined in the MITRE ATT&CK framework including T1059 for command and scripting interpreter and T1078 for valid accounts, as it leverages legitimate administrative credentials to execute malicious code. The attack surface is particularly concerning because these products are commonly deployed as core network security devices that control access to sensitive infrastructure.
Organizations must prioritize immediate remediation of this vulnerability by upgrading to the patched versions of Ivanti Connect Secure 22.7R2.4 and Ivanti Policy Secure 22.7R1.3. System administrators should also implement additional security controls including network segmentation, privileged access management solutions, and enhanced monitoring of administrative activities. The vulnerability demonstrates the critical importance of maintaining up-to-date security patches and implementing defense-in-depth strategies to protect against exploitation of authenticated code injection vulnerabilities. Organizations should conduct thorough security assessments to identify any potential compromise and implement network monitoring to detect unusual administrative activities that might indicate exploitation attempts. The remediation process should include comprehensive testing of the patched versions to ensure compatibility with existing network configurations while maintaining the security posture against this and similar threats.