--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerabilities in Ivanti Products' number: '2024-030' version: '1.0' original_date: 'March 20, 2024' date: 'March 21, 2024' --- _History:_ * _21/03/2024 --- v1.0 -- Initial publication_ # Summary On March 20, 2024, Ivanti released fixes for two critical vulnerabilities affecting Ivanti Standalone Sentry and Ivanti Neurons for ITSM. According to Ivanti, there is no evidence of these vulnerabilities being exploited in the wild. It is recommended upgrading affected software as soon as possible. # Technical Details The vulnerability `CVE-2023-41724`, with a CVSS score of 9.6, affects Ivanti Standalone Sentry and could allow an unauthenticated attacker within the same physical or logical network to execute arbitrary commands on the underlying operating system of the appliance. [1] The vulnerability `CVE-2023-46808`, with a CVSS score of 9.9, affects Ivanti Neurons for ITSM and could enable an authenticated remote user to perform file writes in sensitive directories which may allow execution of commands in the context of web application’s user. [2] # Affected Products The vulnerability `CVE-2023-41724` impacts all supported versions of Ivanti Standalone Sentry (9.17.0, 9.18.0, and 9.19.0). Older versions are also at risk. The vulnerability `CVE-2023-46808` impacts all supported versions of Ivanti Neurons for ITSM (2023.3, 2023.2 and 2023.1). Unsupported versions are also at risk. # Recommendations CERT-EU strongly recommends updating affected software to the latest versions by following the instructions given by the vendor [1,2]. # References [1] [2]