cbcvebase.

Ivanti Connect Secure vulnerabilities

130 known vulnerabilities affecting ivanti/connect_secure.

Total CVEs
130
CISA KEV
14
actively exploited
Public exploits
14
Exploited in wild
19
Severity breakdown
CRITICAL15HIGH67MEDIUM46LOW2

Vulnerabilities

Page 2 of 7
CVE-2021-22908P2HIGHCVSS 8.8v9.0v9.12021-05-27
CVE-2021-22908 [HIGH] CWE-120 CVE-2021-22908: A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote auth A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default.
nvd
CVE-2019-11542P2HIGHCVSS 7.2v8.1v8.2+1 more2019-04-26
CVE-2019-11542 [HIGH] CWE-787 CVE-2019-11542: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX befor In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authenticated attacker (via the admin web interface) can send a
nvd
CVE-2025-22467P2HIGHCVSS 8.8≤ 22.7v22.72025-02-11
CVE-2025-22467 [HIGH] CWE-121 CVE-2025-22467: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authe A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.
nvd
CVE-2019-11540P2CRITICALCVSS 9.8v8.32019-04-26
CVE-2019-11540 [CRITICAL] CVE-2019-11540: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.
nvd
CVE-2019-11509P2HIGHCVSS 8.8v8.1v8.2+2 more2019-06-03
CVE-2019-11509 [HIGH] CVE-2019-11509: In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 and Pulse Policy Secure (PPS) before 5.1R15.1, 5.2 before 5.2R12.1, 5.3 before 5.3R15.1, 5.4 before 5.4R7.1, and 9.0 before 9.0R3.2, an authenticated attacker (via the admin web interface) can exploit Incorrect Access Control to execute
nvd
CVE-2025-55142P2HIGHCVSS 8.8fixed in 22.7v22.72025-09-09
CVE-2025-55142 [HIGH] CWE-862 CVE-2025-55142: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
nvd
CVE-2025-55141P2HIGHCVSS 8.8fixed in 22.7v22.72025-09-09
CVE-2025-55141 [HIGH] CWE-862 CVE-2025-55141: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
nvd
CVE-2024-9420P2HIGHCVSS 8.8fixed in 9.1≥ 21.9, < 22.7+2 more2024-11-12
CVE-2024-9420 [HIGH] CWE-416 CVE-2024-9420: A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy S A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution
nvd
CVE-2024-39710P3CRITICALCVSS 9.1fixed in 22.7v22.7+2 more2024-11-13
CVE-2024-39710 [CRITICAL] CWE-88 CVE-2024-39710: Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy S Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-38656P3CRITICALCVSS 9.1fixed in 22.7v22.7+2 more2024-11-13
CVE-2024-38656 [CRITICAL] CWE-88 CVE-2024-38656: Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy S Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-39711P3CRITICALCVSS 9.1fixed in 22.7v22.7+2 more2024-11-13
CVE-2024-39711 [CRITICAL] CWE-88 CVE-2024-39711: Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy S Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-39712P3CRITICALCVSS 9.1fixed in 22.7v22.7+2 more2024-11-13
CVE-2024-39712 [CRITICAL] CWE-88 CVE-2024-39712: Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy S Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-9844P3HIGHCVSS 8.8fixed in 22.7v22.72024-12-10
CVE-2024-9844 [HIGH] CWE-602 CVE-2024-9844: Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before vers Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.
nvd
CVE-2025-55147P3HIGHCVSS 8.8fixed in 22.7v22.72025-09-09
CVE-2025-55147 [HIGH] CWE-352 CVE-2025-55147: CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivant CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute sensitive actions on behalf of the victim user. User interaction is required
nvd
CVE-2016-4787P3CRITICALCVSS 10.0v8.0v8.2+1 more2016-05-26
CVE-2016-4787 [CRITICAL] CVE-2016-4787: Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4 Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read sensitive system authentication files in an unspecified directory via unknown vectors.
nvd
CVE-2019-11538P3HIGHCVSS 7.7v8.1v8.2+2 more2019-04-26
CVE-2019-11538 [HIGH] CWE-59 CVE-2019-11538: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX befor In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.
nvd
CVE-2019-11508P3HIGHCVSS 7.2v7.1v7.4+4 more2019-05-08
CVE-2019-11508 [HIGH] CWE-22 CVE-2019-11508: In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an authenticated attacker (via the admin web interface) can exploit Directory Traversal to execute arbitrary code on the appliance.
nvd
CVE-2025-55145P3HIGHCVSS 8.9fixed in 22.7v22.72025-09-09
CVE-2025-55145 [HIGH] CWE-862 CVE-2025-55145: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker to hijack existing HTML5 connections.
nvd
CVE-2024-22053P3HIGHCVSS 8.2v9.1v22.1+18 more2024-04-04
CVE-2024-22053 [HIGH] CWE-787 CVE-2024-22053: A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Pol A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.
nvd
CVE-2016-4791P3HIGHCVSS 8.6v8.1v8.2+1 more2016-05-26
CVE-2016-4791 [HIGH] CVE-2016-4791: The administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, The administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote administrators to enumerate files, read arbitrary files, and conduct server side request forgery (SSRF) attacks via unspecified vectors.
nvd
Ivanti Connect Secure vulnerabilities | cvebase