Ivanti Connect Secure vulnerabilities
130 known vulnerabilities affecting ivanti/connect_secure.
Total CVEs
130
CISA KEV
14
actively exploited
Public exploits
14
Exploited in wild
19
Severity breakdown
CRITICAL15HIGH67MEDIUM46LOW2
Vulnerabilities
Page 5 of 7
CVE-2024-39709P3HIGHCVSS 7.8fixed in 9.1≥ 21.9, < 22.6+3 more2024-11-13
CVE-2024-39709 [HIGH] CWE-732 CVE-2024-39709: Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx)
Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.
nvd
CVE-2025-55139P3MEDIUMCVSS 6.8fixed in 22.7v22.72025-09-09
CVE-2025-55139 [MEDIUM] CWE-918 CVE-2025-55139: SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivant
SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to enumerate internal services.
nvd
CVE-2018-20809P3HIGHCVSS 7.5v8.32019-06-28
CVE-2018-20809 [HIGH] CWE-20 CVE-2018-20809: A crafted message can cause the web server to crash with Pulse Secure Pulse Connect Secure (PCS) 8.3
A crafted message can cause the web server to crash with Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R5 and Pulse Policy Secure 5.4RX before 5.4R5. This is not applicable to PCS 8.1RX.
nvd
CVE-2025-55143P3MEDIUMCVSS 6.1fixed in 22.7v22.72025-09-09
CVE-2025-55143 [MEDIUM] CWE-79 CVE-2025-55143: Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure be
Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to inject arbitrary text into a crafted HTTP response. User interaction is
nvd
CVE-2023-38551P3HIGHCVSS 8.2≥ 22.7R2, < 22.7R2≥ 22.5R2.2, < 22.5R2.2+1 more2024-05-31
CVE-2023-38551 [HIGH] CWE-93 CVE-2023-38551: A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-pri
A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack.
nvd
CVE-2020-8222P3MEDIUMCVSS 6.8v9.12020-07-30
CVE-2020-8222 [MEDIUM] CWE-22 CVE-2020-8222: A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 that allowed an authenticated a
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting.
nvd
CVE-2021-22933P3MEDIUMCVSS 6.5v9.12021-08-16
CVE-2021-22933 [MEDIUM] CWE-22 CVE-2021-22933: A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request.
nvd
CVE-2020-8220P3MEDIUMCVSS 6.5v9.12020-07-30
CVE-2020-8220 [MEDIUM] CWE-400 CVE-2020-8220: A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated
A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS.
nvd
CVE-2024-22023P4MEDIUMCVSS 5.3v9.1v22.1+18 more2024-04-04
CVE-2024-22023 [MEDIUM] CWE-476 CVE-2024-22023: An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x)
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
nvd
CVE-2020-8256P4MEDIUMCVSS 4.9v9.12020-09-30
CVE-2020-8256 [MEDIUM] CWE-611 CVE-2020-8256: A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticat
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.
nvd
CVE-2016-4786P4HIGHCVSS 7.5v8.1v8.2+1 more2016-05-26
CVE-2016-4786 [HIGH] CVE-2016-4786: Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r3, 8.0 before 8.0r11, and 7.4 before 7.4
Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r3, 8.0 before 8.0r11, and 7.4 before 7.4r13.4 allow remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
nvd
CVE-2025-8711P4MEDIUMCVSS 5.4fixed in 22.7v22.72025-09-09
CVE-2025-8711 [MEDIUM] CWE-352 CVE-2025-8711: CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivant
CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute limited actions on behalf of the victim user. User interaction is required.
nvd
CVE-2020-8221P4MEDIUMCVSS 4.9v9.12020-07-30
CVE-2020-8221 [MEDIUM] CWE-22 CVE-2020-8221: A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 which allows an authenticated a
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface.
nvd
CVE-2025-55144P4MEDIUMCVSS 5.4fixed in 22.7v22.72025-09-09
CVE-2025-55144 [MEDIUM] CWE-862 CVE-2025-55144: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.
nvd
CVE-2025-8712P4MEDIUMCVSS 5.4fixed in 22.7v22.72025-09-09
CVE-2025-8712 [MEDIUM] CWE-862 CVE-2025-8712: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.
nvd
CVE-2016-4792P4MEDIUMCVSS 5.3v8.22016-05-26
CVE-2016-4792 [MEDIUM] CVE-2016-4792: Pulse Connect Secure (PCS) 8.2 before 8.2r1 allows remote attackers to disclose sign in pages via un
Pulse Connect Secure (PCS) 8.2 before 8.2r1 allows remote attackers to disclose sign in pages via unspecified vectors.
nvd
CVE-2024-38657P4MEDIUMCVSS 4.9fixed in 22.7v22.7+1 more2025-02-21
CVE-2024-38657 [MEDIUM] CWE-73 CVE-2024-38657: External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy S
External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.
nvd
CVE-2025-5468P4MEDIUMCVSS 5.5fixed in 22.7v22.72025-08-12
CVE-2025-5468 [MEDIUM] CWE-61 CVE-2025-5468: Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivan
Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk.
nvd
CVE-2024-12058P4MEDIUMCVSS 4.9fixed in 22.7v22.72025-02-11
CVE-2024-12058 [MEDIUM] CWE-73 CVE-2024-12058: External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy S
External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.
nvd
CVE-2016-4788P4MEDIUMCVSS 5.8v8.2v8.1+1 more2016-05-26
CVE-2016-4788 [MEDIUM] CVE-2016-4788: Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4
Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read an unspecified system file via unknown vectors.
nvd