CVE-2024-37400 Overview
CVE-2024-37400 is an out-of-bounds read vulnerability [CWE-125] affecting Ivanti Connect Secure before version 22.7R2.3. A remote unauthenticated attacker can exploit the flaw to trigger an infinite loop, resulting in a denial-of-service (DoS) condition on the appliance. The vulnerability is reachable over the network without authentication or user interaction, which makes internet-facing VPN gateways the primary risk surface. Ivanti disclosed the issue in its security advisory covering multiple CVEs in Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC).
Critical Impact
An unauthenticated remote attacker can drive Ivanti Connect Secure into an infinite loop, denying VPN access to legitimate users.
Affected Products
- Ivanti Connect Secure versions prior to 22.7R2.3
- Ivanti Connect Secure 22.7, 22.7R1, 22.7R1.1 through 22.7R1.5
- Ivanti Connect Secure 22.7R2, 22.7R2.1, 22.7R2.2
Discovery Timeline
- 2024-11-13 - CVE-2024-37400 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-37400
Vulnerability Analysis
CVE-2024-37400 is classified as an out-of-bounds read [CWE-125] in Ivanti Connect Secure. The condition arises when the appliance processes attacker-supplied network input and reads memory beyond the intended buffer boundary. The malformed read drives a parsing routine into an infinite loop, consuming CPU resources and blocking further request handling. Because Ivanti Connect Secure is a remote access VPN gateway, the resulting denial of service directly impacts remote workforce connectivity.
The vulnerability requires no authentication and no user interaction. An attacker only needs network reachability to the appliance's exposed VPN interface. Confidentiality and integrity are not affected, but availability is fully compromised on the targeted gateway until it is restarted or patched.
Root Cause
The root cause is insufficient bounds validation on incoming data before it is consumed by a parsing loop. When the parser encounters data outside the expected structure, it reads past the buffer and enters a state where its loop termination condition is never satisfied. The defect combines a memory safety issue (out-of-bounds read) with a control-flow defect (missing loop exit condition), producing a resource-exhaustion DoS instead of a traditional information disclosure.
Attack Vector
Exploitation is performed remotely over the network by sending a crafted request to the Ivanti Connect Secure appliance. No credentials are required, and no interaction from an administrator or end user is needed. A single request is sufficient to pin a worker into an infinite loop, and repeated requests can exhaust processing capacity across the appliance. Because the affected product is typically exposed to the public internet, attackers can locate targets through simple banner or TLS certificate fingerprinting.
No public proof-of-concept exploit code or Exploit-DB entry is currently listed for this CVE, and it is not present on the CISA Known Exploited Vulnerabilities catalog. See the Ivanti Security Advisory for Multiple CVEs for vendor technical details.
Detection Methods for CVE-2024-37400
Indicators of Compromise
- Sustained high CPU utilization on one or more Ivanti Connect Secure processing threads without a corresponding increase in legitimate user sessions.
- Unresponsive or hung web/VPN services on the appliance, followed by watchdog restarts or failover events.
- Repeated malformed or truncated requests to the VPN endpoint from a single source or small cluster of source IPs.
- VPN authentication timeouts and connection failures reported by end users while the gateway remains reachable at the network layer.
Detection Strategies
- Monitor Ivanti Connect Secure system logs for abnormal worker process hangs, thread stalls, and unexpected service restarts.
- Inspect ingress traffic to the VPN interface for anomalous request patterns, oversized fields, or protocol violations preceding availability loss.
- Correlate network telemetry with appliance health metrics to distinguish DoS attempts from routine capacity issues.
- Track appliance version and patch level against 22.7R2.3 to identify unpatched exposure across the fleet.
Monitoring Recommendations
- Enable SNMP or syslog forwarding of CPU, memory, and session-table metrics from Ivanti Connect Secure to a central SIEM.
- Alert on rapid drops in successful VPN authentications combined with rising error rates from the same appliance.
- Baseline normal request volumes to the VPN endpoint and alert on sudden spikes of malformed traffic from external sources.
How to Mitigate CVE-2024-37400
Immediate Actions Required
- Upgrade Ivanti Connect Secure to version 22.7R2.3 or later as instructed in the vendor advisory.
- Inventory all internet-facing Ivanti Connect Secure appliances and confirm the running build against the fixed release.
- Restrict management interface access to trusted administrative networks and remove any unnecessary exposure of the VPN gateway.
- Prepare an incident response and failover plan for the VPN service in case an appliance enters a hung state during patching.
Patch Information
Ivanti has released a fixed build in Ivanti Connect Secure 22.7R2.3. All prior 22.7 releases, including 22.7, 22.7R1.x, 22.7R2, 22.7R2.1, and 22.7R2.2, remain vulnerable. Full remediation details are available in the Ivanti Security Advisory for Multiple CVEs.
Workarounds
- Apply network-level filtering to allow VPN access only from expected geographies or partner IP ranges where feasible.
- Front the appliance with an upstream load balancer or reverse proxy that can rate-limit and drop malformed requests.
- Enable HA/failover pairs so that a single hung appliance does not cause a full remote-access outage.
- Increase monitoring frequency on appliance health and prepare automated restart procedures until the patch is applied.
# Example: verify Ivanti Connect Secure version against the fixed release
# From the ICS admin CLI, check the running version:
# > show version
# Confirm the reported build is 22.7R2.3 or later; otherwise, schedule an upgrade.
# Example iptables filter to restrict VPN gateway exposure to approved sources
iptables -A INPUT -p tcp --dport 443 -s 203.0.113.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

