Ivanti has released patches for a high-severity vulnerability, tracked as CVE-2024-22024 with a CVSS score of 8.3, affecting its enterprise VPN and network access products, including Connect Secure, Policy Secure, and ZTA gateway appliances. The vulnerability, described as an XML external entity (XXE) issue in the SAML component, could allow unauthenticated attackers to access restricted resources. Patches have been provided for specific versions of the affected products. Although Ivanti has not observed exploitation of the vulnerability in the wild, it recommends customers to apply the latest patches as a precautionary measure. The vulnerability was initially identified internally but was later reported to Ivanti by researchers from WatchTowr.
Read more: https://www.securityweek.com/ivanti-patches-high-severity-vulnerability-in-vpn-appliances/