Flaws in third-party elements
Ivanti notes that the vulnerabilities are situated in two open-source libraries used within the product. As a result of the issues haven’t but been introduced within the libraries themselves, the corporate determined to not identify them for now however is working with their maintainers.
One of many flaws, CVE-2025-4428, is an arbitrary code execution difficulty, however as a result of it requires authentication to use, it has solely a 7.2 (excessive severity) rating on the CVSS scale. The opposite vulnerability is an authentication bypass that gives unauthenticated attackers with entry to protected sources and is rated solely as medium severity with a rating of 5.3.
Nonetheless, the authentication bypass is strictly what’s wanted to show the affect of the primary flaw from excessive to essential, as a result of it permits its exploitation with out authentication, eradicating the one limiting issue. It is a good instance of why severity scores shouldn’t be the one standards for prioritizing patches, however some decrease severity flaws might be mixed to realize way more potent assaults.
