CVE-2024-11634: 
Ivanti Connect Secure vulnerability analysis and mitigation

CVE-2024-11634 is a critical command injection vulnerability affecting Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2. The vulnerability was disclosed on December 10, 2024, and received a CVSS score of 9.1, indicating critical severity. This vulnerability affects the administrative interface of these security products and is not applicable to version 9.1Rx (NVD, Hacker News).

The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command Injection). It received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. The vulnerability requires high privileges but no user interaction, and can be exploited remotely through the network (NVD).

When successfully exploited, this vulnerability allows a remote authenticated attacker with administrative privileges to achieve remote code execution on the affected systems. This could potentially lead to complete system compromise and unauthorized control of the affected devices (Security Online, SOCRadar).

Ivanti has released patches to address this vulnerability. Users are strongly advised to upgrade to Ivanti Connect Secure version 22.7R2.4 and Ivanti Policy Secure version 22.7R1.2. For systems that cannot be immediately updated, it is recommended to restrict Management interface access to an internal network to mitigate the risk (Security Online).