CVE-2024-38648

5.7

Medium

Published:12 Jul 2025

Last updated:17 Jun 2026

Source:support@hackerone.com

Analyzed

Weakness (CWE)

CWE-798Use of Hard-coded Credentials

CVSS Vector

v3.1

Attack Vector: Adjacent
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: None

View on MITRE Find PoC on GitHub

Description

A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.

References

support@hackerone.com

https://forums.ivanti.com/s/article/SA-2024-07-12-CVE-2024-38648