CVE-2024-39709

CVE Database · CVE-2024-39709

CVE-2024-39709

· HIGHAnalyzed

CVSS v3.1

7.8

EPSS

0.30%

Published

Nov 12, 2024

Modified

Jul 15, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-732

Affected Products (9)

ivanti · connect_secure (up to 9.1)vulnerable

ivanti · connect_secure (up to 22.6)vulnerable

ivanti · connect_securevulnerable

ivanti · policy_secure (up to 9.1)vulnerable

ivanti · policy_secure (up to 22.7)vulnerable

ivanti · policy_securevulnerable

References (1)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs