CVE-2024-11005: 
Ivanti Connect Secure vulnerability analysis and mitigation

A command injection vulnerability has been identified in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx). This vulnerability, tracked as CVE-2024-11005, was disclosed on November 12, 2024, and allows remote authenticated attackers with admin privileges to achieve remote code execution (NVD).

The vulnerability is classified as an OS Command Injection (CWE-78) that enables command injection attacks. The CVSS v3.1 base score is rated as 9.1 CRITICAL by Ivanti with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, while NIST rates it as 7.2 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers with administrative privileges to execute arbitrary commands remotely on affected systems, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability (NVD).

Organizations using affected versions of Ivanti Connect Secure and Ivanti Policy Secure should upgrade to version 22.7R2.1 or later for Connect Secure and version 22.7R1.1 or later for Policy Secure. Note that version 9.1Rx is not affected by this vulnerability (SecurityOnline).