Flaws in third-party components
Ivanti notes that the vulnerabilities are located in two open-source libraries used in the product. Because the flaws have not yet been announced in the libraries themselves, the company decided not to name them for now but is working with their maintainers.
One of the flaws, CVE-2025-4428, is an arbitrary code execution issue, but because it requires authentication to exploit, it has only a 7.2 (high severity) score on the CVSS scale. The other vulnerability is an authentication bypass that provides unauthenticated attackers with access to protected resources and is rated only as medium severity with a score of 5.3.
However, the authentication bypass is exactly what’s needed to turn the impact of the first flaw from high to critical, because it enables its exploitation without authentication, removing the only limiting factor. This is a good example of why severity scores should not be the only criteria for prioritizing patches, but some lower severity flaws can be combined to achieve much more potent attacks.