cbcvebase.

Ivanti Connect Secure vulnerabilities

130 known vulnerabilities affecting ivanti/connect_secure.

Total CVEs
130
CISA KEV
14
actively exploited
Public exploits
14
Exploited in wild
19
Severity breakdown
CRITICAL15HIGH67MEDIUM46LOW2

Vulnerabilities

Page 1 of 7
CVE-2019-11510P1CRITICALCVSS 10.0KEVPoCRansomwarev8.2v8.3+1 more2019-05-08
CVE-2019-11510 [CRITICAL] CWE-22 CVE-2019-11510: In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9 In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
nvd
CVE-2025-22457P1CRITICALCVSS 9.8KEVPoCRansomwarefixed in 22.7v22.72025-04-03
CVE-2025-22457 [CRITICAL] CWE-121 CVE-2025-22457: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
nvd
CVE-2025-0282P1CRITICALCVSS 9.0KEVPoCRansomwarev22.7≥ 22.7R2, ≤ 22.7R2.42025-01-08
CVE-2025-0282 [CRITICAL] CWE-121 CVE-2025-0282: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
nvd
CVE-2024-21893P1HIGHCVSS 8.2KEVPoCRansomwarev9.0v9.1+7 more2024-01-31
CVE-2024-21893 [HIGH] CWE-918 CVE-2024-21893: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22. A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
nvd
CVE-2023-46805P1HIGHCVSS 8.2KEVPoCRansomwarev9.0v9.1+6 more2024-01-12
CVE-2023-46805 [HIGH] CWE-287 CVE-2023-46805: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Polic An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
nvd
CVE-2024-21887P1CRITICALCVSS 9.1KEVPoCRansomwarev9.0v9.1+6 more2024-01-12
CVE-2024-21887 [CRITICAL] CWE-77 CVE-2024-21887: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
nvd
CVE-2021-22893P1CRITICALCVSS 10.0KEVPoCRansomwarev9.0v9.12021-04-23
CVE-2021-22893 [CRITICAL] CWE-287 CVE-2021-22893: Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has be
nvd
CVE-2020-8260P1HIGHCVSS 7.2KEVPoCRansomware≤ 9.0v9.12020-10-28
CVE-2020-8260 [HIGH] CWE-434 CVE-2020-8260: A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
nvd
CVE-2019-11539P1HIGHCVSS 7.2KEVPoCRansomwarev8.1v8.2+2 more2019-04-26
CVE-2019-11539 [HIGH] CWE-78 CVE-2019-11539: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX befor In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject
nvd
CVE-2020-8218P1HIGHCVSS 7.2KEVPoC≤ 9.0v9.12020-07-30
CVE-2020-8218 [HIGH] CWE-94 CVE-2020-8218: A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to craf A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
nvd
CVE-2020-8243P1HIGHCVSS 7.2KEVRansomware≤ 9.0v9.12020-09-30
CVE-2020-8243 [HIGH] CWE-94 CVE-2020-8243: A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticat A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.
nvd
CVE-2021-22894P1HIGHCVSS 8.8KEVv9.0v9.12021-05-27
CVE-2021-22894 [HIGH] CWE-94 CVE-2021-22894: A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authe A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.
nvd
CVE-2021-22899P1HIGHCVSS 8.8KEVv9.0v9.12021-05-27
CVE-2021-22899 [HIGH] CWE-77 CVE-2021-22899: A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote aut A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature
nvd
CVE-2021-22900P2HIGHCVSS 7.2KEVv9.0v9.12021-05-27
CVE-2021-22900 [HIGH] CWE-94 CVE-2021-22900: A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that c A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.
nvd
CVE-2024-22024P1HIGHCVSS 8.3ExploitedPoCv9.1v22.4+1 more2024-02-13
CVE-2024-22024 [HIGH] CWE-611 CVE-2024-22024: An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22. An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
nvd
CVE-2025-0283P1HIGHCVSS 7.0ExploitedPoCRansomwarefixed in 9.1≥ 22.2, < 22.7+5 more2025-01-08
CVE-2025-0283 [HIGH] CWE-121 CVE-2025-0283: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
nvd
CVE-2019-11507P1MEDIUMCVSS 6.1ExploitedPoCRansomwarev8.3v9.02019-05-08
CVE-2019-11507 [MEDIUM] CWE-79 CVE-2019-11507: In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.
nvd
CVE-2024-21888P1HIGHCVSS 8.8Exploitedv9.0v9.1+7 more2024-01-31
CVE-2024-21888 [HIGH] CWE-269 CVE-2024-21888: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivant A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
nvd
CVE-2024-21894P1CRITICALCVSS 9.8Exploitedv9.1v22.1+18 more2024-04-04
CVE-2024-21894 [CRITICAL] CWE-787 CVE-2024-21894: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Pol A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code
nvd
CVE-2024-37404P1HIGHCVSS 8.8PoCfixed in 9.1≥ 22.3, < 22.7+4 more2024-10-18
CVE-2024-37404 [HIGH] CVE-2024-37404: Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.
nvd
Ivanti Connect Secure vulnerabilities | cvebase