CVE-2024-11007: 
Ivanti Connect Secure vulnerability analysis and mitigation

A command injection vulnerability has been identified in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx). This vulnerability, tracked as CVE-2024-11007, was disclosed on November 12, 2024, and allows remote authenticated attackers with admin privileges to achieve remote code execution (NVD, CVE).

The vulnerability is classified as an OS Command Injection (CWE-78) issue. It has received a CVSS v3.1 base score of 9.1 CRITICAL from Ivanti with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, while the NVD assessment rates it at 7.2 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability allows an attacker with administrative privileges to execute arbitrary commands on the affected system, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability (NVD).

Organizations are advised to upgrade to Ivanti Connect Secure version 22.7R2.1 or later, or Ivanti Policy Secure version 22.7R1.1 or later. Note that version 9.1Rx is not affected by this vulnerability (Security Online).