CVE-2024-8495 Overview
CVE-2024-8495 is a null pointer dereference vulnerability [CWE-476] affecting Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1. A remote unauthenticated attacker can trigger the flaw over the network to cause a denial of service condition on affected gateways. Ivanti disclosed the issue in a multi-CVE security advisory covering its Connect Secure, Policy Secure, and Secure Access Client product lines. The vulnerability impacts availability only, with no impact on confidentiality or integrity.
Critical Impact
Unauthenticated attackers can remotely crash Ivanti Connect Secure and Policy Secure appliances, disrupting VPN and network access services for all users.
Affected Products
- Ivanti Connect Secure versions prior to 22.7R2.1
- Ivanti Policy Secure versions prior to 22.7R1.1
- Ivanti Connect Secure 22.7 branch releases including 22.7R1 through 22.7R2
Discovery Timeline
- 2024-11-12 - CVE-2024-8495 published to the National Vulnerability Database
- 2025-01-17 - Last updated in NVD database
Technical Details for CVE-2024-8495
Vulnerability Analysis
The vulnerability is a null pointer dereference in the network-facing components of Ivanti Connect Secure and Ivanti Policy Secure. When the affected service processes a crafted request, it accesses a pointer that has not been initialized or has been freed. Dereferencing this null pointer triggers a fatal exception that terminates the responsible process.
Because the affected service handles remote VPN and policy traffic, a successful trigger disrupts user access through the gateway. The attack requires no authentication, no user interaction, and low complexity to execute over the network. Connect Secure appliances frequently sit at the network perimeter, which expands the practical reachability of this issue.
Root Cause
The root cause is missing validation of a pointer before dereference, classified under [CWE-476]. The affected code path does not confirm that a required object or buffer was allocated successfully before accessing its members. When an attacker supplies input that drives the code into an unexpected state, the pointer remains null and the access faults.
Attack Vector
An unauthenticated attacker sends crafted network traffic to the exposed Ivanti Connect Secure or Policy Secure service. The malformed request reaches the vulnerable parsing or session handling logic and causes the process to dereference a null pointer. The process crashes, interrupting VPN tunnels and policy enforcement until the service restarts. Repeated requests can sustain the denial of service.
No verified public proof-of-concept code is available. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability stands at 1.345% with a percentile of 67.6.
Detection Methods for CVE-2024-8495
Indicators of Compromise
- Unexpected restarts or crash loops of Ivanti Connect Secure or Policy Secure services on the appliance
- Sudden termination of active VPN sessions affecting multiple users simultaneously
- Repeated malformed or anomalously structured requests to the gateway from a single source or small set of sources
- Gaps in authentication and session logs corresponding to service restart timestamps
Detection Strategies
- Monitor Ivanti appliance health endpoints and system logs for process crashes, segmentation faults, and watchdog-triggered restarts
- Correlate inbound HTTPS traffic patterns with VPN service availability to identify request bursts that precede outages
- Track session establishment failure rates and compare against baseline to surface availability anomalies
Monitoring Recommendations
- Forward Ivanti Connect Secure and Policy Secure system, audit, and crash logs to a central SIEM for retention and correlation
- Configure availability monitoring on the VPN service with alerting on consecutive failed health checks
- Review network telemetry for unauthenticated requests originating from untrusted source ranges targeting the appliance
How to Mitigate CVE-2024-8495
Immediate Actions Required
- Upgrade Ivanti Connect Secure to version 22.7R2.1 or later
- Upgrade Ivanti Policy Secure to version 22.7R1.1 or later
- Restrict management and VPN service exposure to required networks and trusted source ranges where feasible
- Validate appliance integrity and review recent crash and restart events for signs of attempted exploitation
Patch Information
Ivanti has released fixed versions addressing CVE-2024-8495. Administrators should apply Ivanti Connect Secure 22.7R2.1 and Ivanti Policy Secure 22.7R1.1 or later. Refer to the Ivanti Security Advisory for full version guidance and download locations.
Workarounds
- No vendor-supplied workaround replaces the patch; upgrading is the supported remediation
- Limit network reachability of the affected service using upstream firewall and access control list rules
- Enable rate limiting and anomaly-based filtering on perimeter devices to reduce the impact of repeated crash attempts
# Verify Ivanti Connect Secure version after upgrade
# Reference only - consult Ivanti documentation for production procedures
show version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
