CVE-2023-41720: 
Ivanti Connect Secure vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-41720) was discovered in Ivanti Connect Secure (ICS) affecting all versions below 22.6R2. The vulnerability was disclosed on December 13, 2023, and allows an attacker with an initial foothold on an ICS appliance to escalate their privileges by exploiting a vulnerable installed application (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access, low attack complexity, no privileges, and user interaction to exploit. The impact potential is high across confidentiality, integrity, and availability (NVD).

If successfully exploited, the vulnerability allows an attacker to gain elevated execution privileges on the affected system, potentially compromising the security of the entire ICS appliance (NVD).

Ivanti has released version 22.6R2 to address this vulnerability. Customers are strongly encouraged to upgrade to this version or later to remediate the issue. The security patch is available through Ivanti's Download Center (Ivanti Blog).

Ivanti acknowledged the responsible disclosure by Jérôme Mampianinazakason of Synacktiv for their assistance in discovering and reporting the vulnerability (Ivanti Blog).