Vulnerability Details
Basic Information
| Title | Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283) |
|---|---|
| Type | ivanti |
| Published | 2025-08-01T16:55:55 |
| Last Seen | 2025-04-28T23:48:30 |
| CVSS Score | 9.0 (CRITICAL) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
CVE Information
| CVE IDs | CVE-2025-0282, CVE-2025-0283 |
|---|---|
| CWE | |
| Bulletin Family | software |
Description
**Summary:**
Ivanti has released an update that addresses one critical and one high vulnerability in Ivanti Connect Secure, Policy Secure and ZTA Gateways. Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution. CVE-2025-0283 could allow a local authenticated attacker to escalate privileges.
**A patch is available now, please refer to the table below for each affected product.**
We are aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure. We are not aware of these CVEs being exploited in Ivanti Policy Secure or ZTA gateways.
We are not aware of any exploitation of CVE-2025-0283 at the time of disclosure.
Exploitation of CVE-2025-0282 can be identified by the Integrity Checker Tool (ICT). We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.
**Vulnerability Details:**
**CVE Number** | **Description** | **CVSS Score (Severity)** | **CVSS Vector** | **CWE**
—|—|—|—|—
CVE-2025-0282 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. | 9.0 (Critical) | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-121
CVE-2025-0283 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges. | 7.0 (High) | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-121
**Affected Versions**
**CVE** | **Product Name** | **Affected Version(s)** | **Affected CPE(s)** | **Resolved Version(s)** | **Patch Availability**
—|—|—|—|—|—
CVE-2025-0282 | Ivanti Connect Secure | 22.7R2 through 22.7R2.4 | cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.* | 22.7R2.5 | Download Portal https://portal.ivanti.com/
CVE-2025-0283 | Ivanti Connect Secure | 22.7R2.4 and prior, 9.1R18.9 and prior | cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.* | 22.7R2.5 | Download Portal https://portal.ivanti.com/
CVE-2025-0282 | Ivanti Policy Secure | 22.7R1 through 22.7R1.2 | cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*. | 22.7R1.3 | Download Portal https://portal.ivanti.com/
CVE-2025-0283 | Ivanti Policy Secure | 22.7R1.2 and prior | cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*. | 22.7R1.3 | Download Portal https://portal.ivanti.com/
CVE-2025-0282 | Ivanti Neurons for ZTA gateways | 22.7R2 through 22.7R2.3 | cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2:*:*:*:*:*:* | 22.8R2 | Cloud service automatically updated as of 18 Jan 2025
CVE-2025-0283 | Ivanti Neurons for ZTA gateways | 22.7R2.3 and prior | cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2:*:*:*:*:*:* | 22.8R2 | Cloud service automatically updated as of 18 Jan 2025
###
**Important Note for Performing the ICT External Tool:**
As of 10th January 2025, a new version of the external Integrity Checker Tool has been released. This is version ICT-V22725 (build 3819) and is functional for all R2 versions of 22.X. This resolves the previous version that only worked on the most recent version.
**Solution**
**Ivanti Connect Secure:**
* Clean internal and external ICT scan: upgrade to Ivanti Connect Secure 22.7R2.5 and continue to closely monitor your internal and external ICT in conjunction with other security tools. Factory reset on appliances with a clean ICT scan is recommended before putting 22.7R2.5 in production out of an abundance of caution.
* ICT result shows signs of compromise: perform a factory reset on the appliance to ensure any malware is removed, put the appliance back into production using version 22.7R2.5. Continue to closely monitor your internal and external ICT in conjunction with other security tools.
**Ivanti Policy Secure:** This solution is not intended to be internet facing, which makes the risk of exploitation significantly lower. The fix for Ivanti Policy Secure is planned for release on January 21, 2025, and will be available in the standard download portal. Customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet. We are not aware of these CVEs being exploited in Ivanti Policy Secure.
**Ivanti Neurons for ZTA Gateways:****** The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. A patch is now available. We are not aware of these CVEs being exploited in ZTA Gateways.
**Acknowledgements**
Thank you to our customers and security partners for their engagement and support, which enabled our swift detection and response to this issue.
We appreciate the collaboration and partnership of Mandiant and MSTIC as we responded to this threat.
Note: Ivanti is dedicated to ensuring the security and integrity of our enterprise software products. We recognize the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. Visit HERE to learn more about our Vulnerability Disclosure Policy.
**FAQ**
**1\. Are you aware of any active exploitation of these vulnerabilities?**
We are aware of a limited number of customers whose appliances have been exploited due to CVE-2025-0282.
**2\. How can I tell if I have been compromised?******
Exploitation of the vulnerabilities have been identified by the Integrity Checker Tool (ICT). Customers should closely monitor their internal and external ICT and reach out to our support team if they see any suspicious activity.
The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or other Indicators of Compromise. Customers should run the ICT in conjunction with other monitoring tools.
Indicators of Compromise will be shared with customers that have confirmed impact to move them forward in their forensics investigation. If customers require additional information, they should open a ticket with support.
**3\. Are CVE-2025-0282 and CVE-2025-0283 being chained in the exploit?**
No, we have no indication that CVE-2025-0283 is being exploited or chained with CVE-2025-0282. As we were conducting our threat hunting, we also discovered the vulnerability being disclosed as CVE-2025-0283 and included it in the patch as well.
**4\. What should I do if I need help?**
If you have questions after reviewing this information, you can log a case and/or request a call via the Success Portal
**5\. What versions of Connect Secure do these vulnerabilities impact?**
The versions of code that each CVE impacts is reflected in the chart above. The 9.x line of code reached End of Life on December 31, 2024, and will not be receiving a patch for CVE-2025-0283. It is important for customers to know that we are not aware of any exploitation of CVE-2025-0283 in the wild and CVE-2025-0282 does not impact the 9.x line of code.
**6\. How should we handle snapshots that****contain multiple files? Will Ivanti Support provide analysis on these?******
As noted in Interpreting the External Integrity Scan Output, the external ICT will generate a decrypted snapshot. Guidance for identifying false positives has been updated in the article with references for the filetypes to be found. If you find that, on inspection, there is something unexplained or of specific concern please raise a case with Ivanti Support through Ivanti Success Portal.
**7\. Are there any Indicators of Compromise we can validate outside of the integrity checker tool ?******
Customers can also reference Mandiant’s blog for additional findings of the coordinated investigation.
Impact Assessment
| Base Score | 9.0 |
|---|---|
| Severity | CRITICAL |