Skip to content
Insights
Request Services
CVEs
Tracker · updated as CVEs land

IAM Vulnerability Tracker for IAM products + the identity-adjacent stack.

Curated tracker of CVEs affecting IAM products — workforce IdPs, PAM platforms, IGA, customer identity, and identity-adjacent infrastructure. Each entry links to the canonical advisory and includes a practitioner note on blast radius and remediation. Updated as new CVEs land. RSS feed for journalists and incident responders.

Subscribe (RSS)
Share

Tracked

6

Newest: Jan 10, 2024

  1. CVE-2023-46805Identity infrastructureDisclosed Jan 10, 2024
    CISA KEVCritical · 8.2

    Ivanti Connect Secure / Policy Secure authentication bypass

    Ivanti · Ivanti Connect Secure, Ivanti Policy Secure

    Authentication bypass in the web component of Ivanti Connect Secure (formerly Pulse Connect Secure) and Policy Secure, allowing a remote attacker to access restricted resources by chaining with CVE-2024-21887.

    Practitioner note

    Ivanti VPN appliances are a recurring identity-adjacent attack surface. When these are compromised, every downstream IdP integration is implicitly compromised too. CISA issued Emergency Directive ED-24-01 requiring federal agencies to disconnect affected appliances. The chained exploit with CVE-2024-21887 produces unauthenticated RCE.

    Vendor advisoryNVD entry
  2. CVE-2024-3400Identity infrastructureDisclosed Apr 12, 2024
    CISA KEVCritical · 10.0

    PAN-OS GlobalProtect command injection

    Palo Alto Networks · PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1

    Command-injection vulnerability in the GlobalProtect feature of PAN-OS that allows an unauthenticated attacker to execute arbitrary code with root privileges on affected firewalls.

    Practitioner note

    GlobalProtect is the VPN gateway many enterprises front their identity provider with. CVSS 10.0 unauthenticated RCE on the appliance means full compromise of the auth-adjacent perimeter. Volexity identified active exploitation prior to disclosure. Patch immediately and rotate any credentials handled through the appliance.

    Vendor advisoryNVD entry
  3. CVE-2024-21683Identity infrastructureDisclosed May 21, 2024
    High · 8.3

    Confluence Data Center auth bypass + RCE

    Atlassian · Confluence Data Center, Confluence Server

    Authenticated remote code execution in Confluence — chained with prior auth-bypass CVEs to produce unauthenticated RCE on Internet-facing deployments.

    Practitioner note

    Confluence is identity-adjacent because it holds the IAM team's runbooks, RACI matrices, and access-narrative documentation. RCE on Confluence often produces credential exposure for downstream IdPs. Atlassian Cloud customers are unaffected; self-hosted Data Center and Server installations need immediate patching.

    Vendor advisoryNVD entry
  4. CVE-2024-29849Identity infrastructureDisclosed May 21, 2024
    Critical · 9.8

    Veeam Backup Enterprise Manager authentication bypass

    Veeam · Veeam Backup Enterprise Manager 12.1.2

    Authentication bypass on the Veeam Backup Enterprise Manager web interface allowing an unauthenticated attacker to log in as any user.

    Practitioner note

    Veeam Backup Enterprise Manager often has cross-domain credentials for restoring AD / IdP state. A bypass on this surface gives an attacker the keys to several identity surfaces at once. Patch + restrict the web interface to internal networks only.

    Vendor advisoryNVD entry
  5. CVE-2023-22515Identity infrastructureDisclosed Oct 4, 2023
    CISA KEVCritical · 10.0

    Confluence broken access control to admin

    Atlassian · Confluence Data Center, Confluence Server

    Unauthenticated attacker can create administrator accounts on affected Confluence Data Center and Server instances via the broken access control on the setup endpoint.

    Practitioner note

    Mass-exploited shortly after disclosure. CISA, Microsoft Threat Intelligence, and others documented active attacks. CVSS 10.0 + admin-account creation means full system compromise. Patched in 8.3.3+, 8.4.3+, 8.5.2+. Add to the periodic-attack-surface review of any Atlassian self-hosted deployment.

    Vendor advisoryNVD entry
  6. CVE-2023-3519Identity infrastructureDisclosed Jul 18, 2023
    CISA KEVCritical · 9.8

    Citrix ADC / Gateway unauthenticated RCE

    Citrix · NetScaler ADC, NetScaler Gateway (formerly Citrix ADC / Gateway)

    Unauthenticated remote code execution in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, RDP Proxy) or AAA virtual server.

    Practitioner note

    Citrix Gateway is the auth-front for many enterprise app surfaces — the same path the Change Healthcare 2024 ransomware took. CISA + NSA + FBI joint advisory. This CVE plus weak account-MFA on the same surface is how identity-adjacent breaches happen.

    Vendor advisoryNVD entry
Inclusion criteria

What ends up in the tracker.

Three filters: (1) CVE-assigned and published in NVD (or a vendor pre-NVD advisory); (2) affects an identity product directly or an identity-adjacent surface that, when compromised, gives an attacker meaningful access to the identity stack (VPN gateways, secrets stores, AD-adjacent infrastructure); (3) has a documented advisory + patch.

We add new entries within 48 hours of disclosure for critical-severity CVEs. KEV- listed entries are highlighted with a badge.

Need patch coordination?

We staff incident response across the identity stack.

When a critical IdP / PAM / VPN CVE lands, having a practitioner on call who knows your environment is the difference between "patched in 12 hours" and "in the news next week."

Talk to a practice leadSee the incident tracker

Identity, cybersecurity, and custom software for regulated enterprises. Audit-ready operations from advisory through audit.

Americas HQ

Wilmington, DE

America/New York

India HQ

Hyderabad, TG

Asia/Kolkata

Services
  • IAM Consulting
  • IAM Technologies
  • Custom Software & AI
  • IAM Staffing
  • Request Services
  • Case Studies
Resources
  • All Resources
  • Complete Guide to IAM
  • IAM Frameworks Compared
  • IAM Certification Roadmap
  • IAM API Hub
  • IAM Explainers
  • IAM Vendor Status
  • Release Notes
  • State of Identity
  • State of PAM
  • State of IGA
  • State of CIAM
  • State of AI Agent Identity
  • IAM Salary Benchmark
  • Vendor Pricing Index
  • Year in Review 2026
  • Acquisition Tracker
  • Outage Tracker
  • Identity Incidents
  • Vulnerability Tracker
  • Cheat Sheets
  • Standards Explainers
  • Migration Playbooks
  • Audit Checklists
  • Reference Architectures
  • RFP Templates
  • IAM Anti-Patterns
  • Compliance Crosswalk
  • Market Landscape
  • Awesome IAM
  • IAM Glossary
  • Compliance Frameworks
  • Integration Guides
  • Vendor Alternatives
  • IAM by Industry
  • Salary Lookup
  • Directory
Research & media
  • IAM Compensation 2026
  • Vendor Moves Q3 2026
  • Identity Incidents Q3 2026
  • Vendor Security Posture 2026
  • Vendor Pricing 2026
  • AI Citation Tracker
  • Top 50 IAM Tools 2026
  • Podcast
  • Videos
  • Newsletter
  • Newsletter Archive
  • Embed Widgets
Free tools
  • JWT Decoder
  • JWT Signer
  • SAML Decoder
  • SAML Metadata Diff
  • OAuth Flow Visualizer
  • OIDC Debugger
  • OIDC Discovery Validator
  • PKCE Generator
  • WebAuthn Tester
  • Bearer Token Inspector
  • SCIM Validator
  • Password Entropy
  • IAM RFP Template
  • PAM Vendor Selector
  • Maturity Assessment
  • ROI Calculator
  • TCO Calculator
  • MFA Bypass Risk
  • Audit-Prep Burden
  • Quizzes
Company
  • About
  • Leadership
  • Approach
  • Why Choose Us
  • Partners
  • Press Kit
  • Press Topics
  • Global Presence
  • Locations
  • Insights
  • Now
  • Community
  • Open Roles
  • Submit Resume
  • Training
  • Contact

© 2026 askmeidentity, Inc.. Safeguard your digital frontier.

  • Privacy Policy
  • Terms of Service
  • Accessibility