Ivanti reports two flaws in Connect Secure, Policy Secure and Neurons - one critical and actively exploited
Take action: If you are using Connect Secure, Policy Secure or ZTA Gateway, time to review lockdown or patch your system. For Connect Secure, patch ASAP. For the other two, make sure they are isolated from the internet and connect to the proper controller. And since these flaws just keep coming, maybe consider a different product?
Learn More
Ivanti is reporting two vulnerabilities affecting their Connect Secure, Policy Secure, and Neurons for ZTA Gateways products.
- CVE-2025-0282 (CVSS score 9.0) is a stack-based buffer overflow that enables unauthenticated remote code execution.
- CVE-2025-0283 (CVSS score 7.0) allows local authenticated attackers to escalate privileges through another stack-based buffer overflow.
The vulnerabilities affect multiple product versions, including Connect Secure versions 22.7R2 through 22.7R2.4, Policy Secure versions 22.7R1 through 22.7R1.2, and ZTA Gateways versions 22.7R2 through 22.7R2.3.
Ivanti has confirmed that a limited number of Connect Secure appliances have already been exploited using CVE-2025-0282, though no exploitation has been observed in Policy Secure or ZTA Gateways. There are currently no reports of CVE-2025-0283 being exploited in the wild.
Ivanti has released immediate patches for Connect Secure, with version 22.7R2.5 now available for download. Patches for Policy Secure and ZTA Gateways are scheduled for release by January 21, 2025.
The company has also released an updated External Integrity Checker Tool (ICT-V22725) to help detect potential exploitation of CVE-2025-0282, though this tool is only compatible with Connect Secure version 22.7R2.5 and above.
For mitigation, Ivanti recommends different approaches based on the product:
- Connect Secure users should immediately upgrade to version 22.7R2.5 and perform a factory reset before deploying in production, especially if compromise is detected.
- Policy Secure customers are advised to ensure their appliances are not exposed to the internet,
- ZTA Gateway users should verify their gateways are properly connected to a ZTA controller.
Mandiant reports that threat actors have been actively exploiting an Ivanti Connect Secure vulnerability since December 2023, deploying two previously undiscovered malware strains called DRYHOOK and PHASEJAM on compromised appliances.
