Ivanti Connect Secure संस्करण 22.7R2.4 से पहले और Ivanti Policy Secure संस्करण 22.7R1.3 से पहले में कोड इंजेक्शन, एक दूरस्थ प्रमाणित हमलावर को व्यवस्थापक विशेषाधिकारों के साथ दूरस्थ कोड निष्पादन (remote code execution) प्राप्त करने की अनुमति देता है।

The impact of CVE-2024-10644 is severe. Successful exploitation allows a remote, authenticated administrator to execute arbitrary code on the Ivanti Connect Secure server. This can lead to complete system compromise, including data exfiltration, privilege escalation, and the installation of persistent malware. Attackers could leverage this access to pivot to other systems within the network, leading to widespread lateral movement and a significant blast radius. Given the nature of Ivanti Connect Secure as a gateway for remote access, a successful attack could expose sensitive internal resources and intellectual property. The requirement for admin privileges, while a barrier, does not negate the severity, as attackers may attempt to compromise accounts with these privileges.

Organizations heavily reliant on Ivanti Connect Secure for remote access, particularly those with legacy deployments of versions prior to 22.7R2.4, are at significant risk. Shared hosting environments where multiple tenants share the same Connect Secure instance are also particularly vulnerable, as a compromise of one tenant could potentially impact others. Furthermore, organizations with weak password policies or inadequate multi-factor authentication for administrative accounts are more susceptible to exploitation.

• linux / server: Monitor Ivanti Connect Secure logs (typically located in /opt/ivanti/connectsecure/logs) for unusual command execution attempts or suspicious network activity. Use journalctl -u connectsecure to filter for error messages related to code injection.

journalctl -u connectsecure | grep -i "code injection"

• ivanti: Review Ivanti Connect Secure audit logs for administrative actions that deviate from normal patterns. Check for unexpected file modifications or process creations. • generic web: Monitor access logs for requests containing suspicious payloads or unusual characters that could indicate code injection attempts. Examine response headers for signs of code execution. • windows / supply-chain: (Less likely, but possible if Connect Secure runs on Windows) Monitor PowerShell execution logs for suspicious commands related to Connect Secure processes. Use Windows Defender to scan for malicious files associated with the vulnerability.

1. 2025-02-11Disclosure

   disclosure

2. 2025-02-11Patch

   patch

1. आरक्षित2024-10-31
2. प्रकाशित2025-02-11
3. संशोधित2026-02-26
4. EPSS अद्यतन2026-04-02

The primary mitigation for CVE-2024-10644 is to immediately upgrade Ivanti Connect Secure to version 22.7R2.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While no specific WAF rules are publicly available, restricting access to potentially vulnerable endpoints and implementing strict authentication policies can help reduce the attack surface. Monitor system logs for suspicious activity, particularly attempts to execute commands or access sensitive files. After upgrading, verify the fix by attempting to reproduce the vulnerability using known exploitation techniques (if available) or by reviewing Ivanti's security advisory for confirmation.