CVE-2024-12058
📋 TL;DR
This vulnerability allows remote authenticated attackers with admin privileges to read arbitrary files on Ivanti Connect Secure and Policy Secure appliances. Attackers can exploit external control of file names to access sensitive system files. Organizations using affected versions of these Ivanti products are at risk.
💻 Affected Systems
- Ivanti Connect Secure
- Ivanti Policy Secure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Admin-level attackers could read sensitive configuration files, credentials, certificates, or other critical system files, potentially leading to full system compromise.
Likely Case
Attackers with admin access could read sensitive files to gather intelligence for further attacks or extract valuable data from the appliance.
If Mitigated
With proper access controls and monitoring, impact is limited to authenticated admin users only, reducing exposure surface.
🎯 Exploit Status
Exploitation requires admin credentials but is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3
Restart Required: Yes
Instructions:
1. Download the latest firmware from Ivanti support portal. 2. Backup current configuration. 3. Apply firmware update via admin interface. 4. Reboot appliance. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit admin access to only trusted IP addresses and users
Implement MFA
allEnable multi-factor authentication for all admin accounts
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Ivanti appliances
- Enforce principle of least privilege for admin accounts and monitor admin activity closely
🔍 How to Verify
Check if Vulnerable:
Check appliance version in admin interface under System > Maintenance > Version InformationCheck Version:
ssh admin@[appliance-ip] 'cat /etc/version'Verify Fix Applied:
Verify version is at least 22.7R2.6 for Connect Secure or 22.7R1.3 for Policy Secure📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns by admin users
- Multiple failed file access attempts
Network Indicators:
- Admin interface access from unusual IP addresses
- Unusual file download patterns
SIEM Query:
source="ivanti_appliance" AND (event_type="file_access" OR event_type="admin_activity") AND file_path CONTAINS "/etc/" OR file_path CONTAINS "/config/"