Flaws in third-party parts
Ivanti notes that the vulnerabilities are situated in two open-source libraries used within the product. As a result of the issues haven’t but been introduced within the libraries themselves, the corporate determined to not title them for now however is working with their maintainers.
One of many flaws, CVE-2025-4428, is an arbitrary code execution subject, however as a result of it requires authentication to take advantage of, it has solely a 7.2 (excessive severity) rating on the CVSS scale. The opposite vulnerability is an authentication bypass that gives unauthenticated attackers with entry to protected assets and is rated solely as medium severity with a rating of 5.3.
Nonetheless, the authentication bypass is precisely what’s wanted to show the impression of the primary flaw from excessive to crucial, as a result of it permits its exploitation with out authentication, eradicating the one limiting issue. It is a good instance of why severity scores shouldn’t be the one standards for prioritizing patches, however some decrease severity flaws could be mixed to attain way more potent assaults.
