Wednesday 15th January 2025
Summary
Ivanti released a security advisory on 8th January 2025 about two new vulnerabilities in Ivanti Connect Secure VPN appliances, Policy Secure, and ZTA Gateways.
- CVE-2025-0282 (CVSS: 9.0 [Critical]) could lead to unauthenticated remote code execution. This CVE is a stack-based buffer overflow vulnerability.
- CVE-2025-0283 (CVSS: 7.0 [High]) could lead to privilege escalation of a local authenticated attacker.
Mandiant identified zero-day exploitation of CVE-2025-0282 in the wild starting in mid-December 2024 so patches for this vulnerability should be prioritised.
Affected Products
CVE |
Product Name |
Affected Version(s) |
Affected CPE(s) |
Resolved Version(s) |
Patch Availability |
CVE-2025-0282 |
Ivanti Connect Secure |
22.7R2 through 22.7R2.4 |
cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.* |
22.7R2.5 |
Download Portal https://portal.ivanti.com/ |
CVE-2025-0283 |
Ivanti Connect Secure |
22.7R2.4 and prior, 9.1R18.9 and prior |
cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.* |
22.7R2.5 |
Download Portal https://portal.ivanti.com/ |
CVE-2025-0282 |
Ivanti Policy Secure |
22.7R1 through 22.7R1.2 |
cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*. |
|
Patch planned availability Jan. 21 |
CVE-2025-0283 |
Ivanti Policy Secure |
22.7R1.2 and prior |
cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*. |
|
Patch planned availability Jan. 21 |
CVE-2025-0282 |
Ivanti Neurons for ZTA gateways |
22.7R2 through 22.7R2.3 |
N/A |
22.7R2.5 |
Patch planned availability Jan. 21
|
CVE-2025-0283 |
Ivanti Neurons for ZTA gateways |
22.7R2.3 and prior |
N/A |
22.7R2.5 |
Patch planned availability Jan. 21
|