CVE-2024-38657

ENISA EUVD: EUVD-2025-4556 ↗

✓ Confirmed 0-Day

Triaged: March 20, 2026 3 articles Published: 2025-02-21

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23

0.58%

probability

This CVE has a 0.58% probability of being exploited in the next 30 days.

0% Top 69.0th percentile of all CVEs 100%

CVSS v3.0

Source: VulnerabilityLookup (CIRCL)

9.1

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.

Affected Products

Ivanti

Connect Secure

22.7R2.4

Ivanti

Policy Secure

22.7R1.3

ivanti

connect secure

ivanti

policy secure

Ivanti

Connect Secure

22.7R2.4 <22.7R2.4

Ivanti

Policy Secure

22.7R1.3 <22.7R1.3

Attack Intelligence

CWE-610 · Externally Controlled Reference to a Resource in Another Sphere CWE-642 CWE-664 · Improper Control of a Resource Through its Lifetime CWE-668 · Exposure of Resource to Wrong Sphere CWE-73 · External Control of File Name or Path

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

Signal Intelligence

Confidenceⓘ

85%

EPSS 0.58%

CVSS v3.0 9.1

Mentions 3

CNA Information

CNA Assigner

hackerone

Analyst Note

CVE-2024-38657 is confirmed as a zero-day. Article [3] explicitly lists it as a critical flaw (CVSS 9.1) patched by Ivanti, and Article [1] documents active exploitation in the wild of Ivanti Connect Secure vulnerabilities with concurrent patch availability. The timing aligns with zero-day criteria: vulnerability was actively exploited before/with patch release.