CVE-2024-38657

4.9

Medium

Published:21 Feb 2025

Last updated:17 Jun 2026

Source:support@hackerone.com

Analyzed

Weakness (CWE)

CWE-73CWE-73

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: None

View on MITRE Find PoC on GitHub

Description

External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.

References

support@hackerone.com

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs