CVE-2024-29205 Overview
CVE-2024-29205 is a denial-of-service vulnerability in the web component of Ivanti Connect Secure (versions 9.x and 22.x) and Ivanti Policy Secure (versions 9.x and 22.x). The flaw stems from an improper check for unusual or exceptional conditions [CWE-703]. A remote unauthenticated attacker can send specially crafted requests to disrupt service availability on affected gateways.
The vulnerability carries a CVSS score of 7.5 and affects only availability, not confidentiality or integrity. The EPSS score is 1.58% with a percentile of 72.58, indicating elevated exploitation likelihood relative to the broader CVE population.
Critical Impact
Remote unauthenticated attackers can cause service disruption of Ivanti Connect Secure and Ivanti Policy Secure VPN gateways, potentially cutting off remote workforce access to internal resources.
Affected Products
- Ivanti Connect Secure 9.x
- Ivanti Connect Secure 22.x
- Ivanti Policy Secure 9.x and 22.x
Discovery Timeline
- 2024-04-25 - CVE-2024-29205 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-29205
Vulnerability Analysis
The vulnerability resides in the web component of Ivanti Connect Secure and Ivanti Policy Secure gateways. The web component fails to properly handle unusual or exceptional conditions when processing incoming HTTP requests. This category of weakness, tracked as [CWE-703], occurs when software does not anticipate or correctly handle rare error states.
When the flawed code path is triggered by malformed input, the process enters an unrecoverable state. The result is disruption of the web service that terminates VPN sessions and blocks new authentication attempts. Because Connect Secure functions as a perimeter remote access gateway, disruption directly affects remote users and site-to-site connectivity.
Root Cause
The root cause is missing or insufficient validation of exceptional input conditions in the web component's request handlers. The affected code does not gracefully catch and recover from the exceptional state, allowing an external request to force the service into failure.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends specially crafted HTTP requests to the exposed web interface of the gateway. Because Connect Secure appliances are typically internet-facing, the attack surface is broad. Successful exploitation results in high availability impact but does not expose data or allow code execution.
No verified proof-of-concept code is publicly available. Technical details are described in the vendor advisory referenced by Ivanti Security Advisory SA-CVE-2024-21894.
Detection Methods for CVE-2024-29205
Indicators of Compromise
- Unexpected restarts or crash loops of the Ivanti Connect Secure or Policy Secure web service
- Sudden termination of active VPN sessions without administrator action
- Repeated malformed HTTP requests to the gateway's web interface from unknown source IPs
- Web component error entries in appliance system logs correlated with availability outages
Detection Strategies
- Monitor gateway health and service uptime metrics for anomalous restart patterns
- Inspect gateway access logs for anomalous request payloads targeting web component endpoints
- Baseline normal request rates and alert on spikes of malformed or oversized requests
- Correlate VPN session termination events with inbound network telemetry
Monitoring Recommendations
- Forward Ivanti Connect Secure and Policy Secure logs to a centralized SIEM for correlation
- Alert on repeated web component failures within short time windows
- Track source IPs generating anomalous requests and enrich with threat intelligence
- Enable synthetic availability checks against the VPN login portal to detect outages quickly
How to Mitigate CVE-2024-29205
Immediate Actions Required
- Apply the vendor-provided patches for Ivanti Connect Secure and Ivanti Policy Secure as documented in the Ivanti security advisories portal
- Restrict administrative and web interface exposure to trusted networks where feasible
- Enable rate limiting and geo-based access controls in front of the gateway
- Review appliance logs for prior evidence of exploitation attempts
Patch Information
Ivanti has issued fixed versions for Connect Secure 9.x and 22.x and Policy Secure 9.x and 22.x. Refer to the Ivanti Security Advisory portal for the specific fixed build numbers corresponding to your deployed version.
Workarounds
- Place a Web Application Firewall (WAF) in front of the gateway to filter malformed requests
- Limit inbound access to the web interface via source IP allow-listing where operationally viable
- Increase monitoring frequency and configure automatic service restart policies to reduce outage duration
- If patching cannot be immediate, consider failover to a redundant gateway during high-risk windows
# Example: restrict inbound access to trusted CIDRs at the perimeter firewall
# Replace TRUSTED_CIDR with your allow-listed ranges
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_CIDR -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

