Every CVE whose affected-product data names Ivanti Policy Secure, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (77)
CVE-2024-21894 — CVSS 9.8 (critical): A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated…
CVE-2024-11005 — CVSS 9.1 (critical): Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version…
CVE-2024-10644 — CVSS 9.1 (critical): Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote…
CVE-2024-39712 — CVSS 9.1 (critical): Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a…
CVE-2024-39711 — CVSS 9.1 (critical): Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a…
CVE-2024-39710 — CVSS 9.1 (critical): Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a…
CVE-2024-38656 — CVSS 9.1 (critical): Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a…
CVE-2024-11634 — CVSS 9.1 (critical): Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote…
CVE-2024-11007 — CVSS 9.1 (critical): Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version…
CVE-2024-11006 — CVSS 9.1 (critical): Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version…
CVE-2025-55145 — CVSS 8.9 (high): Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before…
CVE-2025-55142 — CVSS 8.8 (high): Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before…
CVE-2025-55141 — CVSS 8.8 (high): Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before…
CVE-2024-9420 — CVSS 8.8 (high): A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a…
CVE-2024-21888 — CVSS 8.8 (high): A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a…
CVE-2024-37404 — CVSS 8.8 (high): Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before…
CVE-2019-11509 — CVSS 8.8 (high): In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 and Pulse…
CVE-2025-55147 — CVSS 8.8 (high): CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and…
CVE-2024-22024 — CVSS 8.3 (high): An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x)…
CVE-2024-22053 — CVSS 8.2 (high): A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated…
CVE-2020-8206 — CVSS 8.1 (high): An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to…
CVE-2024-39709 — CVSS 7.8 (high): Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version…
CVE-2024-47906 — CVSS 7.8 (high): Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before…
CVE-2025-55148 — CVSS 7.6 (high): Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before…
CVE-2022-35258 — CVSS 7.5 (high): An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to…
CVE-2024-22052 — CVSS 7.5 (high): A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an…
CVE-2025-5462 — CVSS 7.5 (high): A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway…
CVE-2025-5456 — CVSS 7.5 (high): A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA…
CVE-2022-35254 — CVSS 7.5 (high): An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to…
CVE-2024-8495 — CVSS 7.5 (high): A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a…
CVE-2024-37377 — CVSS 7.5 (high): A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a…
CVE-2024-37401 — CVSS 7.5 (high): An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial…
CVE-2020-15352 — CVSS 7.2 (high): An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows…
CVE-2024-38655 — CVSS 7.2 (high): Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and…
CVE-2020-8219 — CVSS 7.2 (high): An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a…
CVE-2025-0283 — CVSS 7.0 (high): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti…
CVE-2025-55139 — CVSS 6.8 (medium): SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and…
CVE-2020-8222 — CVSS 6.8 (medium): A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 that allowed an authenticated attacker via the administrator web…
CVE-2024-12058 — CVSS 6.8 (medium): External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a…
CVE-2025-0293 — CVSS 6.6 (medium): CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote…
CVE-2020-8220 — CVSS 6.5 (medium): A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection…
CVE-2025-5450 — CVSS 6.3 (medium): Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure…
CVE-2024-11004 — CVSS 6.1 (medium): Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote…
CVE-2020-8238 — CVSS 6.1 (medium): A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to…
CVE-2020-8262 — CVSS 6.1 (medium): A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS)…
CVE-2020-8204 — CVSS 6.1 (medium): A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page.
CVE-2025-55143 — CVSS 6.1 (medium): Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway…
CVE-2024-13830 — CVSS 6.1 (medium): Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote…
CVE-2024-13842 — CVSS 6.0 (medium): A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local…
CVE-2024-13843 — CVSS 6.0 (medium): Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a…
CVE-2025-0292 — CVSS 5.5 (medium): SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated…
CVE-2025-5463 — CVSS 5.5 (medium): Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version…
CVE-2025-5468 — CVSS 5.5 (medium): Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5…
CVE-2020-12880 — CVSS 5.5 (medium): An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a…
CVE-2025-8712 — CVSS 5.4 (medium): Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before…
CVE-2020-8217 — CVSS 5.4 (medium): A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.
CVE-2025-8711 — CVSS 5.4 (medium): CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and…
CVE-2025-55144 — CVSS 5.4 (medium): Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before…
CVE-2024-22023 — CVSS 5.3 (medium): An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an…
CVE-2024-47905 — CVSS 4.9 (medium): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a…
CVE-2023-39339 — CVSS 4.9 (medium): A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary…
CVE-2025-5451 — CVSS 4.9 (medium): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a…
CVE-2025-55146 — CVSS 4.9 (medium): An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway…
CVE-2024-38657 — CVSS 4.9 (medium): External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a…
CVE-2025-5466 — CVSS 4.9 (medium): XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and…
CVE-2024-47909 — CVSS 4.9 (medium): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a…
CVE-2020-8221 — CVSS 4.9 (medium): A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 which allows an authenticated attacker to read arbitrary files via the…
CVE-2020-8261 — CVSS 4.3 (medium): A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
CVE-2020-8216 — CVSS 4.3 (medium): An information disclosure vulnerability in meeting of Pulse Connect Secure <9.1R8 allowed an authenticated end-users to find meeting…