Security Advisory 2022-074

Release Date:

DoS Vulnerabilities in Pulse Secure Products



  • 27/10/2022 --- v1.0 -- Initial publication


On October 13, 2022, Ivanti released an advisory regarding two vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero-Trust Gateway that could lead to DoS conditions if exploited [1]. It is recommended to upgrade to the latest version of these products.

Technical Details

Ivanti did not release much technical details about the vulnerabilities, identified by CVE-2022-35254, and CVE-2022-35258, with CVSS scores of 7.5 out of 10. Nevertheless, the company specified that the vulnerabilities could lead to Denial-of-Service (DoS) conditions if exploited. Based on the CVSS scores, we can guess that the vulnerabilities could be exploited remotely and fairly easily.

Affected Products

CVE-2022-35254 and CVE-2022-35258 affect:

  • Ivanti Policy Secure 9.1R16, 22.2R1 and below
  • Ivanti Neurons for Zero-Trust Gateway 22.2R1 and below
  • Ivanti Connect Secure 9.1R16.1, 22.2R1 and below

The Ivanti Neurons for Secure Access was affected by both vulnerabilities. Ivanti upgraded the hosted controller and completed the upgrade on October 9, 2022. There is no action for customers to take regarding the Ivanti Neurons for Secure Access Controller.


CERT-EU recommends updating the affected systems to the latest version.



We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.