Ivanti has issued crucial security patches for multiple vulnerabilities affecting its Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) products. The updates address three critical flaws discovered through CISA, Akamai, and HackerOne’s bug bounty program.

Critical Vulnerabilities:

1. CVE-2025-22467 (Severity 9.9)
– Stack-based buffer overflow in ICS
– Enables remote code execution with low-privilege authentication

2. CVE-2024-38657 (Severity 9.1)
– Arbitrary file writing vulnerability in ICS and IPS
– Requires authenticated remote access

3. CVE-2024-10644 (Severity 9.1)
– Code injection vulnerability in ICS and IPS
– Allows remote code execution with authentication

Additional Security Issues:
– Five medium to high-severity vulnerabilities
– Including XSS issues, hardcoded keys, and insufficient permissions

Affected Versions:
– ICS: 22.7R2.5 and older
– IPS: 22.7R1.2 and older
– ISAC: 22.7R4 and below

Remediation:
– Update to ICS version 22.7R2.6
– Update to IPS version 22.7R1.3
– Update to ISAC 22.8R1

Note: Pulse Connect Secure 9.x users must upgrade to Ivanti Connect Secure 22.7, as no patches will be provided for end-of-life versions.

While no active exploits have been reported, immediate patching is strongly recommended to prevent potential attacks from authenticated threat actors.