286 matches found
Avalanche 6.4.3.602 - additional security hardening and CVE fixed
Last Modified Date Aug 16, 2024 6:00:39 PM...
SA:CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow), CVE-2024-22023 (XML entity expansion or XXE) and CVE-2024-29205 for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Vulnerabilities have been discovered in Ivanti Connect Secure ICS, formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways and a patch is available now. These vulnerabilities impact all supported versions – Version 9.x and 22.x refer to Granular Software Release EOL Timelines and...
Avalanche 6.4.3 Security Hardening and CVEs addressed
Avalanche 6.4.3 has addressed some new security hardening and vulnerabilities in our Q1 2024 release. We are not aware of any exploitation of these vulnerabilities at the time of disclosure. To address the security vulnerabilities listed below, it is highly recommended to download the Avalanche...
CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
DESCRIPTION: Vulnerabilities have been discovered in Ivanti Connect Secure ICS, formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities impact all supported versions – Version 9.x and 22.x refer to Granular Software Release EOL Timelines and Support Matrix...
KB API Authentication Bypass on Sentry Administrator Interface - CVE-2023-38035
A vulnerability has been discovered in Ivanti Sentry, formerly MobileIron Sentry. This vulnerability impacts all supported versions – 9.18, 9.17, and 9.16. Older versions/releases are also at risk. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM,...
SA40166 - Remote desktop protocol (RDP) client restriction bypass issue
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A security issue was discovered in the PCS Terminal Services Remote Desktop Protocol RDP client session restrictions feature. By exploiting this issue a malicious authenticated user...
SA44588 - 2020-09: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.1R8.2
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. This advisory provides information about multiple vulnerabilities resolved in Pulse Connect Secure 9.1R8.2, Pulse Policy Secure 9.1R8.2 Refer to KB43892 - What releases will Pulse Secur...
Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340)
Update 29 Jan: Step by Step RPM Install KB included Update 4 Feb: Fixed in Security Update: 0S-4 and 0L-4 included Update: 6 Feb: RPM detection script available to help customers assess potential impact. Technical Analysis updated with reliable Indicators of Compromise IoC’s. Both in partnership...
December 2024 Security Advisory Ivanti Automation (CVE-2024-9845)
Summary Ivanti has released updates for Automation which addresses one high severity vulnerability. Successful exploitation could lead to local privilege escalation. We are not aware of any customers being exploited by this vulnerability at the time of disclosure. Vulnerability Details: CVE Numbe...
Ivanti Avalanche 6.4.5 Security Advisory (Multiple CVE's)
Summary Ivanti has released updates for Ivanti Avalanche which addresses high severity vulnerabilities. Successful exploitation could lead to information disclosure, authentication bypass or denial of service. We are not aware of any customers being exploited by these vulnerabilities at the time ...
SA: CVE-2023-46808 (Authenticated Remote File Write) for Ivanti Neurons for ITSM
Last Modified Date Apr 4, 2024 4:10:39 PM...
CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure
Executive Summary: As part of the ongoing investigation, we discovered a new vulnerability as part of our internal review and testing of our code, which was also responsibly disclosed by watchTowr. This vulnerability only affects a limited number of supported versions – Ivanti Connect Secure...
CVE-2023-35081 - Remote Arbitrary File Write
A vulnerability has been discovered in Ivanti Endpoint Manager Mobile EPMM, formerly known as MobileIron Core. This vulnerability impacts all supported versions –releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. This vulnerability is different from CVE-2023-35078, released ...
ZDI-CAN-17729 - CVE-2023-28125 - Bug 958437: ZDI-CAN-17729: Ivanti Avalanche InfoRail Authentication Bypass Vulnerability
Last Modified Date 2024-3-8 16:51:05...
JSA10482 - 2011-07 Out of Cycle Security Bulletin: Multiple Products; TLS/SSL Renegotiation Vulnerability (CVE-2009-3555)
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. CVE-2009-3555 summary: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, does not properly associate renegotiation handshakes with an existing connection, which allows...
JSA10645 - 2014-09 Security Bulletin: Pulse Connect Secure (PSC) and Pulse Policy Secure (PPS): Cross site scripting issue (CVE-2014-3820)
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A cross site scripting issue has been found in the Pulse Connect Secure and Pulse Policy Secure PCS/PPS products. The problem is a result of incorrect user input validation on the PCS/P...
Using Vulnerable Libssh Version < 0.12 in Sentry
Last Modified Date Apr 20, 2026 4:13:44 AM...
Security Advisory Ivanti Endpoint Manager (EPM) October 2025
Security Advisory Ivanti Endpoint Manager EPM October 2025 Multiple CVEs Summary Update Nov. 11, 2025: A fix has been released for CVE-2025-11622 and CVE-2025-9713. To resolve these vulnerabilities customers should update to EPM 2024 SU4. Update Feb. 10, 2026: A fix to resolve the remaining CVE's...
Security Advisory Ivanti Neurons for ITSM (On-Premises Only) (CVE-2025-22462)
Security Advisory Ivanti Neurons for ITSM on-premises only CVE-2025-22462 Summary Ivanti has released updates for Ivanti Neurons for ITSM on-prem only which addresses one critical severity vulnerability. Depending on system configuration, successful exploitation could allow an unauthenticated...
Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6
Update Regarding Ivanti EPM Endpoint Manager Downloads As part of our ongoing efforts to enhance your experience and streamline our processes we have migrated the software downloads from the Ivanti Community to the Ivanti License System ILS. You will continue to use your current Ivanti Single...
Security Advisory: Ivanti Virtual Traffic Manager (vTM ) (CVE-2024-7593)
Last Modified Date Jun 18, 2025 12:05:38 PM...
Security Advisory EPM July 2024 for EPM 2024
Last Modified Date Apr 16, 2025 2:50:24 PM...
SA-2023-12-19-CVE-2023-39336
SECURITY ADVISORY 2023-12-19 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for EPM 2022 SU4 and all prior versions. More information can be found here: CVE-2023-39336 Full details Please log into the community to access the full details page. Vulnerability...
SA-2023-06-06-CVE-2023-28324
SECURITY ADVISORY 06-06-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for Ivanti Endpoint Manager for all versions of 2022 SU2 and below. Please patch to the latest version of EPM 2022. If you are using 2021.1, please patch to SU4 and apply the hotfix as...
JSA10554 - 2013-03: Security Bulletin: Pulse Connect Secure (PCS): Multiple cross site scripting issues
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Multiple cross site scripting issues have been found in the Pulse Connect Secure PCS product. The issue is the result of incorrect validation of user input sent to the web server. This...
SA40013 - TLS/SSL Renegotiation Vulnerability Pulse Connect Secure (PCS) (CVE-2009-3555) (Pulse Secure PSN-2009-11-573
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. The industry-wide TLS/SSL renegotiation issue CVE-2009-3555 has been found in the Pulse Connect Secure PCS device. This issue has been reported as a man in the middle MITM attack by ma...
SA40054 - 2015-09: Security Advisory: Secure Meeting (Pulse Collaboration) issue may allow authenticated users to bypass meeting authorization (CVE-2015-7323)
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. An authorization bypass issue has been discovered in Secure Meeting Pulse Collaboration. This issue could allow an authenticated user to log into meetings that they do not have...
SA40107 - Response to Juniper ScreenOS security advisory JSA10713 (CVE-2015-7755 and CVE-2015-7756)
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Juniper announced a security advisory for their Netscreen Firewall ScreenOS product portfolio. The Juniper ScreenOS advisory can be found here: JSA10713 Related Links JSA10713...
SA40208 - [Pulse Secure] Single specific file content disclosure issue (CVE-2016-4788)
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. An issue was discovered with the Pulse Connect Secure device that could allow an attacker to print out contents from a specific file. The file contents do not contain any configuration...
SA40210 - [Pulse Secure] Information disclosure possible on admin UI (CVE-2016-4791)
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. An information disclosure issue was discovered on the Pulse Connect Secure device. This issue exists on the administrative user interface and requires admin level access. Because of th...
SA43681 - 2016-11: CSRF vulnerability with Brocade Virtual Traffic Manager (vTM) (CVE-2016-8201)
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A CSRF vulnerability in Pulse Secure Virtual Traffic Manager versions released prior to and including 11.0, could allow an attacker to trick a logged-in user into making administrative...
JSA10399 - Security Vulnerability in Pulse Policy Secure (PPS) software's radius authentication mechanism
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. This Security Advisory is an addendum to JSA10380.. The purpose is to notify customers of the removal of the affected releases from the Pulse Secure software download site. JSA10380 -...
SA43877 - 2018-08 Security Bulletin: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure / Pulse Secure Desktop 9.0R1/9.0R2
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. This advisory provides information about multiple vulnerabilities resolved in Pulse Connect Secure and Pulse Policy Secure 9.0R1 & Pulse Desktop Client 9.0R2 releases. These issues app...
2020-06: Out-of-Cycle Advisory: Pulse Secure Client TOCTOU Privilege Escalation Vulnerability (CVE-2020-13162)
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A security vulnerability was discovered within a Pulse Secure client-side component Windows OS only. This is a client-side exploit only and does not affect the PCS or PPS gateway serve...
SA44426 - 2020-04: Out-of-Cycle Advisory: Multiple Host Checker Vulnerabilities
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. This advisory provides information about the Host Checker policy enforcement vulnerabilities highlighted in CVE-2020-11580, CVE-2020-11581, and CVE-2020-11582. These vulnerabilities...
SA44790 - HTTP Request Smuggling vulnerability with Virtual Traffic Manager (vTM)
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager could allow an attacker to 'smuggle' an HTTP request through an HTTP/2 header. In particular, customers...
SA44800 - 2021-05: Out-of-Cycle Advisory: Pulse Connect Secure Buffer Overflow Vulnerability
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A vulnerability was discovered under Pulse Connect Secure PCS. This includes buffer overflow vulnerability on the Pulse Connect Secure gateway that allows a remote authenticated user...
September Security Advisory Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access (Multiple CVEs)
Update 10 Sept Ivanti Policy Secure: Affected and Resolved in Versions updated Summary Ivanti has released updates for Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access which addresses six medium and five high vulnerabilities. We are not aware of any customers being...
Security Advisory Ivanti Connect Secure and Policy Secure (CVE-2024-37404)
Summary Ivanti has released updates for Ivanti Connect Secure and Policy Secure which addresses a critical vulnerability. Successful exploitation could allow a remote authenticated attacker to achieve remote code execution. We are not aware of any customers being exploited by this vulnerability a...
Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963)
Summary Ivanti is disclosing a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in the patch released on 10 September CSA 4.6 Patch 519. Successful exploitation could allow a remote unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in...
SA-2024-07-12-CVE-2024-29213
SECURITY ADVISORY 07-12-2024 Product Affected: Ivanti Desktop and Server Management A vulnerability was recently discovered in DSM. This vulnerability is remediated in DSM 2024.2. Vulnerability Information CVE | CVSS | Summary | Product Affected ---|---|---|--- CVE-2024-29213 CVE Reserved | 7.8...
Security Advisory EPMM May 2024
Last Modified Date Jul 19, 2024 3:00:43 PM...
Security Patch Release - Ivanti Policy Secure 22.6R1
Resolutions for Ivanti Policy Secure Security Issues: As part of Ivanti's commitment to continuous security hardening, Ivanti has released a security update for Ivanti Policy Secure. This update resolves a moderate vulnerability. To our knowledge, none of the CVEs identified in this review have...
CVE-2023-39335 - Certificate creation authentication bypass in UPDATEPROFILE handler
Last Modified Date Dec 11, 2025 1:35:01 PM...
CVE-2023-39337 - MobileConfig profile download authentication bypass
Last Modified Date Dec 11, 2023 2:11:27 PM...
SA-2023-08-08-CVE-2023-35084
SECURITY ADVISORY 08-08-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for EPM 2022 SU3 and all previous versions. We have a Hotfix available to remediate this vulnerability that can be found by going to CVE-2023-35084 Full details. Please log into the...
SA-2023-08-08-CVE-2023-35083
SECURITY ADVISORY 08-08-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for EPM 2022 SU3 and all previous versions. We have a Hotfix available to remediate this vulnerability that can be found by going to CVE-2023-35083 Full details. Please log into the...
CVE-2023-38035 – API Authentication Bypass on Sentry Administrator Interface
A vulnerability has been discovered in Ivanti Sentry, formerly known as MobileIron Sentry. This vulnerability impacts versions 9.18 and prior. The vulnerability does not impact other Ivanti products, such as Ivanti EPMM or Ivanti Neurons for MDM. If exploited, this vulnerability enables an...
JSA10571 - 2013-06 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Internal and test Certificate Authority Root Servers unintentionally added to Trusted CA list
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. The Pulse Connect Secure PCS and Pulse Policy Secure PPS software use Trusted Server CA Root Certificate list in order to verify the validity of certificates. Internal and development...
JSA10590 - 2013-09 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Crafted packet can cause denial of service
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A denial of service DoS issue has been found on the Pulse Connect Secure PCS and Pulse Policy Secure PPS devices. This issue can cause the system to hang ultimately requiring a restart ...