In disclosing yet another vulnerability in its Connect Secure, Policy Secure, and ZTA gateways, Ivanti has confused the third-party researchers who discovered it.
Researchers at watchTowr blogged today about not being credited with the discovery of CVE-2024-22024 – the latest in a series of vulnerabilities affecting Ivanti gateways as the vendor continues to develop patches for supported versions.
The high-severity authentication bypass flaw only affects a limited number of supported versions, unlike the zero-days that came before it, and, according to Ivanti, it was discovered in-house.
"As part of the ongoing investigation, we discovered a new vulnerability as part of our internal review and testing of our code, which we are reporting as CVE-2024-22024," an Ivanti article reads.
However, watchTowr claims its researchers were the first to bring Ivanti's attention to the bug on February 2, publishing screenshots of the emails exchanged between it and Ivanti as proof.