Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-37400

CVE-2024-37400: Ivanti Connect Secure DOS Vulnerability

CVE-2024-37400 is a denial of service flaw in Ivanti Connect Secure caused by an out of bounds read. Unauthenticated attackers can trigger an infinite loop remotely. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-37400 Overview

CVE-2024-37400 is an out-of-bounds read vulnerability [CWE-125] affecting Ivanti Connect Secure before version 22.7R2.3. A remote unauthenticated attacker can exploit the flaw to trigger an infinite loop, resulting in a denial-of-service (DoS) condition on the appliance. The vulnerability is reachable over the network without authentication or user interaction, which makes internet-facing VPN gateways the primary risk surface. Ivanti disclosed the issue in its security advisory covering multiple CVEs in Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC).

Critical Impact

An unauthenticated remote attacker can drive Ivanti Connect Secure into an infinite loop, denying VPN access to legitimate users.

Affected Products

  • Ivanti Connect Secure versions prior to 22.7R2.3
  • Ivanti Connect Secure 22.7, 22.7R1, 22.7R1.1 through 22.7R1.5
  • Ivanti Connect Secure 22.7R2, 22.7R2.1, 22.7R2.2

Discovery Timeline

  • 2024-11-13 - CVE-2024-37400 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-37400

Vulnerability Analysis

CVE-2024-37400 is classified as an out-of-bounds read [CWE-125] in Ivanti Connect Secure. The condition arises when the appliance processes attacker-supplied network input and reads memory beyond the intended buffer boundary. The malformed read drives a parsing routine into an infinite loop, consuming CPU resources and blocking further request handling. Because Ivanti Connect Secure is a remote access VPN gateway, the resulting denial of service directly impacts remote workforce connectivity.

The vulnerability requires no authentication and no user interaction. An attacker only needs network reachability to the appliance's exposed VPN interface. Confidentiality and integrity are not affected, but availability is fully compromised on the targeted gateway until it is restarted or patched.

Root Cause

The root cause is insufficient bounds validation on incoming data before it is consumed by a parsing loop. When the parser encounters data outside the expected structure, it reads past the buffer and enters a state where its loop termination condition is never satisfied. The defect combines a memory safety issue (out-of-bounds read) with a control-flow defect (missing loop exit condition), producing a resource-exhaustion DoS instead of a traditional information disclosure.

Attack Vector

Exploitation is performed remotely over the network by sending a crafted request to the Ivanti Connect Secure appliance. No credentials are required, and no interaction from an administrator or end user is needed. A single request is sufficient to pin a worker into an infinite loop, and repeated requests can exhaust processing capacity across the appliance. Because the affected product is typically exposed to the public internet, attackers can locate targets through simple banner or TLS certificate fingerprinting.

No public proof-of-concept exploit code or Exploit-DB entry is currently listed for this CVE, and it is not present on the CISA Known Exploited Vulnerabilities catalog. See the Ivanti Security Advisory for Multiple CVEs for vendor technical details.

Detection Methods for CVE-2024-37400

Indicators of Compromise

  • Sustained high CPU utilization on one or more Ivanti Connect Secure processing threads without a corresponding increase in legitimate user sessions.
  • Unresponsive or hung web/VPN services on the appliance, followed by watchdog restarts or failover events.
  • Repeated malformed or truncated requests to the VPN endpoint from a single source or small cluster of source IPs.
  • VPN authentication timeouts and connection failures reported by end users while the gateway remains reachable at the network layer.

Detection Strategies

  • Monitor Ivanti Connect Secure system logs for abnormal worker process hangs, thread stalls, and unexpected service restarts.
  • Inspect ingress traffic to the VPN interface for anomalous request patterns, oversized fields, or protocol violations preceding availability loss.
  • Correlate network telemetry with appliance health metrics to distinguish DoS attempts from routine capacity issues.
  • Track appliance version and patch level against 22.7R2.3 to identify unpatched exposure across the fleet.

Monitoring Recommendations

  • Enable SNMP or syslog forwarding of CPU, memory, and session-table metrics from Ivanti Connect Secure to a central SIEM.
  • Alert on rapid drops in successful VPN authentications combined with rising error rates from the same appliance.
  • Baseline normal request volumes to the VPN endpoint and alert on sudden spikes of malformed traffic from external sources.

How to Mitigate CVE-2024-37400

Immediate Actions Required

  • Upgrade Ivanti Connect Secure to version 22.7R2.3 or later as instructed in the vendor advisory.
  • Inventory all internet-facing Ivanti Connect Secure appliances and confirm the running build against the fixed release.
  • Restrict management interface access to trusted administrative networks and remove any unnecessary exposure of the VPN gateway.
  • Prepare an incident response and failover plan for the VPN service in case an appliance enters a hung state during patching.

Patch Information

Ivanti has released a fixed build in Ivanti Connect Secure 22.7R2.3. All prior 22.7 releases, including 22.7, 22.7R1.x, 22.7R2, 22.7R2.1, and 22.7R2.2, remain vulnerable. Full remediation details are available in the Ivanti Security Advisory for Multiple CVEs.

Workarounds

  • Apply network-level filtering to allow VPN access only from expected geographies or partner IP ranges where feasible.
  • Front the appliance with an upstream load balancer or reverse proxy that can rate-limit and drop malformed requests.
  • Enable HA/failover pairs so that a single hung appliance does not cause a full remote-access outage.
  • Increase monitoring frequency on appliance health and prepare automated restart procedures until the patch is applied.
bash
# Example: verify Ivanti Connect Secure version against the fixed release
# From the ICS admin CLI, check the running version:
#   > show version
# Confirm the reported build is 22.7R2.3 or later; otherwise, schedule an upgrade.

# Example iptables filter to restrict VPN gateway exposure to approved sources
iptables -A INPUT -p tcp --dport 443 -s 203.0.113.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.