Defects in third-party components
Ivanti noted that the vulnerability is located in two open source libraries used in the product. Since these flaws have not been announced in the library itself, the company decided not to name them for the time being, but to work with the maintainer.
One of the flaws CVE-2025-4428 is an arbitrary code execution problem, but since it requires authentication to exploit, it only has a 7.2 (high severity) score on the CVSS scale. Another vulnerability is an authentication bypass that provides unauthenticated attackers with access to protected resources and is only rated as moderate severity with a score of 5.3.
However, the authentication bypass is exactly what is needed to take the first flaw from high to critical impact, as it can be exploited without authentication, eliminating the only limiting factor. This is a great example of why severity scores should not be the only criterion for priority count, but some lower severity flaws can be combined to achieve more efficient attacks.
