Ivanti has released an urgent security update addressing two significant vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for ZTA gateway products. The company disclosed that one of the flaws has already been exploited in the wild, prompting immediate action from customers.
The more severe of the two vulnerabilities, tracked as CVE-2025-0282, received a critical CVSS score of 9.0. This flaw involves a stack-based buffer overflow that could allow unauthenticated remote attackers to execute malicious code on affected systems.
Ivanti has confirmed that a limited number of Connect Secure appliances have already been compromised through this vulnerability.
The second vulnerability, CVE-2025-0283, rated as high severity with a CVSS score of 7.0, could enable authenticated local attackers to escalate their privileges on affected systems. Ivanti reports no known exploitation of this vulnerability at the time of disclosure.
The affected products include specific versions of Ivanti Connect Secure (versions 22.7R2 through 22.7R2.4), Ivanti Policy Secure (22.7R1 through 22.7R1.2), and Ivanti Neurons for ZTA gateways (22.7R2 through 22.7R2.3). The company has released immediate patches for Connect Secure, with updates for Policy Secure and Neurons for ZTA gateways scheduled for January 21, 2025.
To help customers identify potential compromises, Ivanti has updated its Integrity Checker Tool (ICT).
The company strongly recommends that customers monitor both internal and external ICT results as part of their security measures. For Connect Secure customers, Ivanti advises performing a factory reset on appliances before upgrading to version 22.7R2.5, even if current ICT scans show no signs of compromise.
The discovery and response to these vulnerabilities involved collaboration with prominent security firms, including Mandiant and Microsoft Threat Intelligence Center (MSTIC).
Ivanti emphasized that the Policy Secure solution, being designed for internal network use, faces lower exploitation risks when properly configured according to company recommendations.
For organizations using these products, Ivanti has established dedicated support channels through their Success Portal to assist with implementing patches and addressing security concerns.
The company also noted that while the older 9.x code line, which reached end-of-life on December 31, 2024, is not affected by CVE-2025-0282, it will not receive patches for CVE-2025-0283.
Last year there are multiple flaws reported in Ivanti products which was exploited in wild by hackers. Hackers continue targetting enterprise gateway products which often serve as critical entry points to corporate networks and remain attractive targets for threat actors.