SA CVE (2023-34298) Ivanti Secure Access Client Local Privilege Escalation
At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products. We are investing significant resources to ensure that all our solutions continue to meet our own high standards.
We are reporting a new vulnerability that was publicly disclosed on June 15, 2023, that impacts the following products running on Windows OS devices:
- Ivanti Secure Access (ISA) Client 22.3 R2 and below;
- Pulse Connect Secure (PCS) Desktop Client 9.1 R15 and below;
- Pulse Secure Installer Service all current production releases (versions 9.1R18.23345 and 22.4.1439).
Clients on other platforms (Mac and Linux) are not affected. The ICS / PCS Server solutions are also not affected.
We have no evidence or indication that any customer has been impacted by this new vulnerability.
Upon learning of the vulnerability, we immediately mobilized resources to fix the problem. Patches for Ivanti Secure Access Client and Pulse Secure Installer Service are available now. More information can be found in this Security Advisory.
Mitigations for Pulse Secure Desktop Client version 9.1 R15 and older versions are in process. We will update this post when they become available.
Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).