4:00pm, 9 January 2025
TLP Rating:
Two vulnerabilities affecting Ivanti products
CVE-2025-0282 (CVSS 9.0) is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure and Neurons for ZTA gateways. This could allow a remote unauthenticated attacker to achieve remote code execution.
CVE-2025-0283 (CVSS 7.0) is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure and Neurons for ZTA gateways. This could allow a local authenticated attacker to escalate their privileges.
An upgrade to the latest version is recommended as well as additional remediation steps.
What's happening
Systems affected
The following Ivanti products are affected:
-
Ivanti Connect Secure before version 22.7R2.5
-
Ivanti Policy Secure before version 22.7R1.2
-
Ivanti Neurons for ZTA gateways before version 22.7R2.3.
What this means
Ivanti products and versions listed above are vulnerable.
The NCSC is aware of public reporting of active exploitation in the wild for CVE-2025-0282.
What to look for
How to tell if you're at risk
If you are running an Ivanti Connect Secure, Policy Secure or Neurons for ZTA gateway within the version range listed above.
What to do
Prevention
Ivanti Connect Secure installations are recommended to be upgraded to version 22.7R2.5.
Patches for Ivanti Policy Secure and Ivanti Neurons for ZTA gateways are expected to be available on 21 January 2025.
Organisations are encouraged to apply additional remediation steps that are provided in the vendor advisory.
More information
Refer to vendor advisory for more information.
Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283) External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.