Security News > 2024 > February > Ivanti discloses fifth vulnerability, doesn't credit researchers who found it
In disclosing yet another vulnerability in its Connect Secure, Policy Secure, and ZTA gateways, Ivanti has confused the third-party researchers who discovered it.
Researchers at watchTowr blogged today about not being credited with the discovery of CVE-2024-22024 - the latest in a series of vulnerabilities affecting Ivanti gateways as the vendor continues to develop patches for supported versions.
"As part of the ongoing investigation, we discovered a new vulnerability as part of our internal review and testing of our code, which we are reporting as CVE-2024-22024," an Ivanti article reads.
WatchTowr claims its researchers were the first to bring Ivanti's attention to the bug on February 2, publishing screenshots of the emails exchanged between it and Ivanti as proof.
"Commenting on the above excerpt from Ivanti's advisory, watchTowr said:"Today, Friday February 9, 2024, we are pleased to see that Ivanti has released an advisory for this vulnerability.
Ivanti has continued to work on developing patches in accordance with its staggered schedule, which is to say it's developing patches for the versions with the most users, and working down from there.
News URL
Related news
- Ivanti fixes RCE vulnerability reported by NATO cybersecurity researchers (CVE-2023-41724) (source)
- Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Week in review: Ivanti fixes RCE vulnerability, Nissan breach affects 100,000 individuals (source)
- Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks (source)
- Ivanti commits to secure-by-design overhaul after vulnerability nightmare (source)
- Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security Flaws (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-13 | CVE-2024-22024 | XXE vulnerability in Ivanti Connect Secure, Policy Secure and Zero Trust Access An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. | 8.3 |