CVE-2024-38648 CRITICAL

CVE-2024-38648

Vendor Ivanti
Product DSM
Published July 12, 2025
Last update July 14, 2025

CVSS base score

9.0/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.

Key dates

02Disclosure timeline

July 12, 2025 CVE published
July 14, 2025 Record updated