cbcvebase.

Ivanti Connect Secure vulnerabilities

130 known vulnerabilities affecting ivanti/connect_secure.

Total CVEs
130
CISA KEV
14
actively exploited
Public exploits
14
Exploited in wild
19
Severity breakdown
CRITICAL15HIGH67MEDIUM46LOW2

Vulnerabilities

Page 3 of 7
CVE-2022-21826P3MEDIUMCVSS 5.4v9.12022-09-30
CVE-2022-21826 [MEDIUM] CWE-444 CVE-2022-21826: Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website a
nvd
CVE-2018-20813P3CRITICALCVSS 9.8v8.32019-06-28
CVE-2018-20813 [CRITICAL] CWE-20 CVE-2018-20813: An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2.
nvd
CVE-2023-41719P3HIGHCVSS 7.2v21.9v21.12+8 more2023-12-14
CVE-2023-41719 [HIGH] CVE-2023-41719: A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker imper A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution.
nvd
CVE-2024-10644P3HIGHCVSS 7.2fixed in 22.7v22.72025-02-11
CVE-2024-10644 [HIGH] CWE-94 CVE-2024-10644: Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before vers Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-11634P3HIGHCVSS 7.2fixed in 22.7v22.72024-12-10
CVE-2024-11634 [HIGH] CWE-77 CVE-2024-11634: Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before v Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
nvd
CVE-2021-22937P3HIGHCVSS 7.2v9.12021-08-16
CVE-2021-22937 [HIGH] CWE-434 CVE-2021-22937: A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface.
nvd
CVE-2024-38655P3HIGHCVSS 7.2fixed in 22.7v22.7+2 more2024-11-13
CVE-2024-38655 [HIGH] CWE-88 CVE-2024-38655: Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy S Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2020-8206P3HIGHCVSS 8.1v9.12020-07-30
CVE-2020-8206 [HIGH] CWE-287 CVE-2020-8206: An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attack An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP.
nvd
CVE-2018-6320P3CRITICALCVSS 9.8v8.12018-09-06
CVE-2018-6320 [CRITICAL] CWE-20 CVE-2018-6320: A vulnerability has been discovered in login.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1RX be A vulnerability has been discovered in login.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1RX before 8.1R12 and 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.2RX before 5.2R9 and 5.4RX before 5.4R2 wherein an http(s) Host header received from the browser is trusted without validation.
nvd
CVE-2025-5462P3HIGHCVSS 7.5fixed in 22.7v22.72025-08-12
CVE-2025-5462 [HIGH] CWE-122 CVE-2025-5462: A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secur A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service.
nvd
CVE-2024-11633P3HIGHCVSS 7.2fixed in 22.7v22.72024-12-10
CVE-2024-11633 [HIGH] CWE-88 CVE-2024-11633: Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated at Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
nvd
CVE-2024-11007P3HIGHCVSS 7.2fixed in 22.7v22.72024-11-12
CVE-2024-11007 [HIGH] CWE-78 CVE-2024-11007: Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Iva Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-11005P3HIGHCVSS 7.2fixed in 9.1fixed in 22.7+1 more2024-11-12
CVE-2024-11005 [HIGH] CWE-78 CVE-2024-11005: Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Iva Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-11006P3HIGHCVSS 7.2fixed in 9.1fixed in 22.7+1 more2024-11-12
CVE-2024-11006 [HIGH] CWE-78 CVE-2024-11006: Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Iva Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2025-55148P3HIGHCVSS 7.6fixed in 22.7v22.72025-09-09
CVE-2025-55148 [HIGH] CWE-862 CVE-2025-55148: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.
nvd
CVE-2019-11213P3HIGHCVSS 8.1≥ 9.0r1, < 9.0r32019-04-12
CVE-2019-11213 [HIGH] CWE-384 CVE-2019-11213: In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure
nvd
CVE-2019-11541P3HIGHCVSS 7.5v8.2v8.32019-04-26
CVE-2019-11541 [HIGH] CVE-2019-11541: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.2RX b In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.2RX before 8.2R12.1, users using SAML authentication with the Reuse Existing NC (Pulse) Session option may see authentication leaks.
nvd
CVE-2024-29205P3HIGHCVSS 7.5≥ 9.1R18.5, < 9.1R18.5≥ 22.6R2.3, < 22.6R2.3+13 more2024-04-25
CVE-2024-29205 [HIGH] CWE-703 CVE-2024-29205: An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in-order-to cause service disruptions.
nvd
CVE-2025-5456P3HIGHCVSS 7.5fixed in 22.7v22.72025-08-12
CVE-2025-5456 [HIGH] CWE-125 CVE-2025-5456: A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy S A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service. CWE-125
nvd
CVE-2021-22934P3HIGHCVSS 7.2v9.12021-08-16
CVE-2021-22934 [HIGH] CWE-120 CVE-2021-22934: A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request.
nvd
Ivanti Connect Secure vulnerabilities | cvebase