CVE-2022-35254: 
Ivanti Connect Secure vulnerability analysis and mitigation

An unauthenticated denial-of-service vulnerability (CVE-2022-35254) was discovered affecting multiple Ivanti products. The vulnerability impacts Ivanti Connect Secure (ICS) versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access versions prior to 22.3R1. The vulnerability was disclosed on October 13, 2022, with patches being released for selected versions of the affected products (Ivanti Blog, CERT-EU).

The vulnerability has been assigned a CVSS score of 7.5 out of 10, indicating a high severity level. Based on the CVSS score, the vulnerability can be exploited remotely with relative ease. While detailed technical specifications were not publicly disclosed, the vulnerability allows unauthenticated attackers to cause denial-of-service conditions in the affected systems (CERT-EU).

If successfully exploited, the vulnerability can result in denial-of-service conditions affecting the availability of the impacted Ivanti secure access products. This could potentially disrupt access management and security services for organizations using these products (CVE Mitre).

Ivanti has released patches to address the vulnerability. The company recommends upgrading to the latest versions of the affected products. For Ivanti Connect Secure and Policy Secure, patches were released on October 11, 2022. The Ivanti Neurons for Secure Access hosted environment was patched on October 9, 2022. No alternative mitigations are available, making the upgrade to patched versions the only solution (Ivanti Blog).