Home > Security Bulletins > Ivanti Connect Secure Vulnerabilities Targeted by Attackers – CVE-2025-0282/0283

Ivanti Connect Secure Vulnerabilities Targeted by Attackers – CVE-2025-0282/0283

Wednesday 15th January 2025

Summary

Ivanti released a security advisory on 8th January 2025 about two new vulnerabilities in Ivanti Connect Secure VPN appliances, Policy Secure, and ZTA Gateways.

  • CVE-2025-0282 (CVSS: 9.0 [Critical]) could lead to unauthenticated remote code execution. This CVE is a stack-based buffer overflow vulnerability.
  • CVE-2025-0283 (CVSS: 7.0 [High]) could lead to privilege escalation of a local authenticated attacker.

Mandiant identified zero-day exploitation of CVE-2025-0282 in the wild starting in mid-December 2024 so patches for this vulnerability should be prioritised.

Affected Products

CVE 

Product Name 

Affected Version(s) 

Affected CPE(s) 

Resolved Version(s) 

Patch Availability 

CVE-2025-0282

Ivanti Connect Secure

22.7R2 through 22.7R2.4

cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.*

22.7R2.5

Download Portal https://portal.ivanti.com/

CVE-2025-0283

Ivanti Connect Secure

22.7R2.4 and prior,

9.1R18.9 and prior

cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.*

22.7R2.5

Download Portal https://portal.ivanti.com/

CVE-2025-0282

Ivanti Policy Secure

22.7R1 through 22.7R1.2

cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*.

 

Patch planned availability Jan. 21

CVE-2025-0283

Ivanti Policy Secure

22.7R1.2 and prior

cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*.

 

Patch planned availability Jan. 21

CVE-2025-0282

Ivanti Neurons for ZTA gateways

22.7R2 through 22.7R2.3

N/A

22.7R2.5

Patch planned availability Jan. 21

 

CVE-2025-0283

Ivanti Neurons for ZTA gateways

22.7R2.3 and prior

N/A

22.7R2.5

Patch planned availability Jan. 21