External risk intelligence

Ivanti Gateways Vulnerable to Remote Code Execution

CVE advisoryKnown Exploit

CVE-2025-0282

A stack-based buffer overflow vulnerability in Ivanti gateways allows unauthenticated remote attackers to execute code. This could impact systems and data, posing a business risk.

5Halo Surface Signal

Out-of-bounds Write

Ivanti Connect Secure

22.7

External exposure likelihood

Halo Surface Signal score for CVE-2025-0282

This vulnerability affects Ivanti Connect Secure, Policy Secure, and ZTA gateways, which are network edge appliances designed specifically to provide remote access, VPN connectivity, and secure identity portals. These products are intended to be public-facing by design to facilitate external access to internal resources, placing them directly on the internet edge.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A buffer overflow flaw exists in certain Ivanti products. This weakness allows an unauthenticated attacker to execute code remotely. This could lead to the compromise of systems, data, and operational disruption.

  • Vulnerable Ivanti gateways
  • Remote code execution
  • System compromise and data loss

Attack Path

How an attacker could exploit the issue

A stack-based buffer overflow vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways enables an unauthenticated remote attacker to execute arbitrary code. The vulnerability resides in the gateway's network-facing component, allowing for remote code execution without prior authentication. This could lead to significant business risk if exploited.

  • External network exposure required.
  • Attacker sends crafted network request.
  • Remote code execution achieved.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk, enabling remote, unauthenticated attackers to execute code on affected systems. Exploitation could lead to comprehensive system compromise, including data theft and disruption of services. The critical severity and documented exploitation indicate an urgent need for remediation to protect organizational assets.

  • Attackers with moderate skill may exploit.
  • Public-facing access is required.
  • Business risk is critical and urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an unauthenticated attacker to execute remote code, posing a significant risk to organizational systems and data. Organizations should prioritize addressing this issue to prevent potential compromise and maintain business operations. The immediate focus should be on identifying affected systems, mitigating exposure, applying vendor-provided fixes, validating the effectiveness of these fixes, and establishing ongoing monitoring.

  • Find affected Ivanti appliances.
  • Reduce exposure or isolate risk.
  • Apply and verify vendor fixes.
  • Monitor for related activity.

Frequently asked questions

What is the nature of the vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways?

A stack-based buffer overflow vulnerability exists in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3. This weakness allows a remote, unauthenticated attacker to execute arbitrary code on the affected systems.

How can an attacker exploit the Ivanti gateway vulnerability?

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted network request to the gateway. The vulnerability lies within the network-facing component, enabling remote code execution without requiring any prior authentication.

What is the potential impact of exploiting this Ivanti vulnerability?

Successful exploitation of this vulnerability can lead to remote code execution, potentially resulting in comprehensive system compromise. This can include data theft, disruption of services, and significant business risk. The vulnerability has a critical severity rating.

What is the recommended action for mitigating the risk associated with CVE-2025-0282, and why is it considered a high priority?

Organizations should prioritize identifying affected Ivanti appliances, reducing their exposure or isolating the risk, and applying vendor-provided fixes. Verifying the effectiveness of these fixes and establishing ongoing monitoring are also crucial steps. This vulnerability is critical and has been observed in the wild, making remediation urgent.

Which Ivanti products and versions are affected by this critical vulnerability?

The vulnerability affects Ivanti Connect Secure versions prior to 22.7R2.5, Ivanti Policy Secure versions prior to 22.7R1.2, and Ivanti Neurons for ZTA gateways versions prior to 22.7R2.3.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified