The Australian Cyber Security Centre (ACSC) has issued an alert to Australian organisations that use Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA Gateways, warning them of vulnerabilities.
This followed Ivanti’s release of an update on January 8 that addresses one critical and one high vulnerability. Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution, and CVE-2025-0283 could allow a local authenticated attacker to escalate privileges.
Ivanti says it was aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure. The company was not aware of these CVEs being exploited in Ivanti Policy Secure or ZTA gateways. They are also not aware of any exploitation of CVE-2025-0283 at the time of disclosure.
CVE-2025-0282 relates to a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2025-0283 relates to a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a local authenticated attacker to escalate their privileges.
CVE-2025-0282 is flagged as critical, and CVE-2025-0283 as high. CVE-2025-0282 affects Ivanti Connect Secure 22.7R2 through 22.7R2.4; Ivanti Policy Secure 22.7R1 through 22.7R1.2; and Ivanti Neurons for ZTA gateways 22.7R2 through 22.7R2.3.
CVE-2025-0283 affects Ivanti Connect Secure 22.7R2.4 and prior and 9.1R18.9 and prior; Ivanti Policy Secure 22.7R1.2 and prior; and Ivanti Neurons for ZTA gateways 22.7R2.3 and prior.
Ivanti’s advisory details the solutions available to customers, specifically:
Ivanti Connect Secure
Clean internal and external ICT scan: upgrade to Ivanti Connect Secure 22.7R2.5 and continue to closely monitor internal and external ICT in conjunction with other security tools. Factory reset on appliances with a clean ICT scan is recommended before putting 22.7R2.5 in production out of an abundance of caution.
ICT result shows signs of compromise: perform a factory reset on the appliance to ensure any malware is removed, put the appliance back into production using version 22.7R2.5. Continue to closely monitor internal and external ICT in conjunction with other security tools.
Ivanti Policy Secure
This solution is not intended to be internet facing, which makes the risk of exploitation significantly lower. The fix for Ivanti Policy Secure is planned for release on January 21, 2025, and will be available in the standard download portal. Customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet. Ivanti is not aware of these CVEs being exploited in Ivanti Policy Secure.
Ivanti Neurons for ZTA Gateways
The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. The fix is planned for release on January 21, 2025. Ivanti is not aware of these CVEs being exploited in ZTA Gateways.
Ivanti says it is dedicated to ensuring the security and integrity of its enterprise software products. The company says it recognises the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities.
Customers can also reference Mandiant’s blog for additional findings of the coordinated investigation.
