Use of Hard-coded Cryptographic Key in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure) - CVE-2024-13842
Published: February 13, 2025
Vulnerability identifier: #VU103944
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-13842
CWE-ID: CWE-321
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Ivanti
Affected software:
Ivanti Connect Secure (formerly Pulse Connect Secure)
Ivanti Policy Secure (formerly Pulse Policy Secure)
Ivanti Connect Secure (formerly Pulse Connect Secure)
Ivanti Policy Secure (formerly Pulse Policy Secure)
Detailed vulnerability description
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to use of hard-coded cryptographic key. A local administrator can gain access to sensitive data.
How to mitigate CVE-2024-13842
Install updates from vendor's website.