CVE-2024-37404 Overview
CVE-2024-37404 is an improper input validation vulnerability in the admin portal of Ivanti Connect Secure and Ivanti Policy Secure. The flaw allows a remote authenticated attacker with administrative privileges to achieve remote code execution on the underlying appliance. Ivanti disclosed the issue in its Security Advisory CVE-2024-37404 and shipped fixes in Ivanti Connect Secure 22.7R2.1 and 9.1R18.9, and Ivanti Policy Secure 22.7R1.1.
The vulnerability carries a CVSS v3.1 score of 8.8 (HIGH) and an EPSS probability of 85.99%, placing it in the 99.4th percentile for likelihood of exploitation.
Critical Impact
A remote authenticated attacker can execute arbitrary code on Ivanti Connect Secure and Policy Secure gateways, leading to full compromise of the VPN appliance and the network perimeter it protects.
Affected Products
- Ivanti Connect Secure versions prior to 22.7R2.1
- Ivanti Connect Secure 9.x versions prior to 9.1R18.9
- Ivanti Policy Secure versions prior to 22.7R1.1
Discovery Timeline
- 2024-10-18 - CVE-2024-37404 published to the National Vulnerability Database
- 2025-09-23 - Last updated in NVD database
Technical Details for CVE-2024-37404
Vulnerability Analysis
The issue is classified as Improper Input Validation in the administrative web portal exposed by Ivanti Connect Secure and Ivanti Policy Secure. Authenticated administrators interact with the appliance through this portal to configure VPN settings, authentication realms, and policy objects. The portal accepts attacker-controllable input that is not validated or sanitized before being passed to a sensitive sink, enabling code execution in the appliance context.
Because Connect Secure and Policy Secure terminate VPN sessions for remote employees, successful exploitation gives an adversary code execution on a high-value perimeter device. Post-exploitation activity can include credential theft, session hijacking, configuration tampering, and lateral movement into internal networks.
Root Cause
The root cause is missing or insufficient validation of input fields in the admin portal. User-supplied data reaches a downstream component, likely a shell command, template renderer, or configuration writer, without strict type, length, or character-set enforcement. Ivanti addressed the issue by hardening input validation in the fixed releases.
Attack Vector
Exploitation requires network access to the admin portal and valid administrative credentials. The attack vector is network-based with low complexity and no user interaction. Realistic preconditions include credential theft, password reuse, exposure of the admin interface to untrusted networks, or chaining with an authentication bypass.
No public proof-of-concept code is currently available. Technical specifics have not been published by the vendor. Refer to the Ivanti Security Advisory for vendor-supplied details.
Detection Methods for CVE-2024-37404
Indicators of Compromise
- Unexpected administrative logins to Connect Secure or Policy Secure, especially from new geolocations, hosting providers, or off-hours sessions.
- New or modified files in appliance writable directories, unexpected outbound connections from the gateway, and unscheduled service restarts.
- Configuration changes such as new admin accounts, modified authentication realms, or altered SAML/SSO settings that do not match change tickets.
Detection Strategies
- Forward Ivanti Connect Secure and Policy Secure admin access logs, audit logs, and syslog to a centralized log platform and alert on administrative actions from non-allowlisted source IPs.
- Baseline normal admin portal request patterns and alert on anomalous parameter values, oversized payloads, or shell metacharacters submitted to administrative endpoints.
- Correlate VPN appliance events with downstream identification of suspicious internal activity, such as new service accounts or unusual SMB/LDAP traffic originating from the gateway subnet.
Monitoring Recommendations
- Monitor the /dana-admin/ administrative URL space and authentication events for brute-force or credential-stuffing patterns.
- Track outbound network connections initiated by the appliance to non-Ivanti destinations, which can indicate webshell or reverse-shell activity.
- Run the Ivanti Integrity Checker Tool (ICT) on a regular cadence and review results against known-good baselines.
How to Mitigate CVE-2024-37404
Immediate Actions Required
- Upgrade Ivanti Connect Secure to 22.7R2.1 or 9.1R18.9, and Ivanti Policy Secure to 22.7R1.1 as released by the vendor.
- Restrict access to the admin portal to a dedicated management network or jump host, and block administrative URLs at the perimeter.
- Rotate administrative credentials and enforce multi-factor authentication for all admin accounts.
- Review admin accounts, configuration changes, and audit logs for unauthorized activity prior to patching.
Patch Information
Ivanti has released patched builds that address CVE-2024-37404. Fixed versions are Ivanti Connect Secure 22.7R2.1 and 9.1R18.9, and Ivanti Policy Secure 22.7R1.1. Apply the upgrades following the guidance in the Ivanti Security Advisory CVE-2024-37404.
Workarounds
- No vendor-supplied workaround replaces the patch; upgrading is the only complete remediation.
- Until the upgrade is applied, restrict administrative access to internal management subnets and require VPN plus MFA to reach the admin interface.
- Disable or remove unused administrator accounts and enforce strong, unique credentials for the remaining accounts.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
