CVE-2024-11006: 
Ivanti Connect Secure vulnerability analysis and mitigation

Command injection vulnerability (CVE-2024-11006) affects Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx). The vulnerability was disclosed on November 12, 2024, and allows remote authenticated attackers with admin privileges to achieve remote code execution (NVD).

The vulnerability is classified as an OS Command Injection (CWE-78) with a CVSS v3.1 base score of 9.1 CRITICAL according to Ivanti, while NIST rates it at 7.2 HIGH. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, high privileges required, no user interaction needed, and critical impact on confidentiality, integrity, and availability (NVD).

If exploited, the vulnerability allows an attacker with administrative privileges to execute arbitrary commands remotely on the affected system, potentially leading to complete system compromise. The critical CVSS score of 9.1 indicates severe potential impacts on system confidentiality, integrity, and availability (NVD).

Ivanti has released security updates to address this vulnerability. Users of affected systems should upgrade to Ivanti Connect Secure version 22.7R2.3 or Ivanti Policy Secure version 22.7R1.2. The vulnerability does not affect version 9.1Rx of either product (ASEC).