This flaw allows unauthenticated remote code execution. CVE-2025-0283, a high-severity vulnerability with a CVSS score of 7.0, enables local privilege escalation. Patches are available for Ivanti Connect Secure, while updates for Policy Secure and Neurons for ZTA are expected by January 21, 2025
 

Vulnerabilities Overview
 

1.    CVE-2025-0282: Stack-Based Buffer Overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways

• Severity: Critical (CVSS 9.0)
• Impact: This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on affected devices, potentially leading to complete system compromise.
• Affects: Ivanti Connect Secure (versions 22.7R2 to 22.7R2.4), Ivanti Policy Secure (versions 22.7R1 to 22.7R1.2), Ivanti Neurons for ZTA Gateways (versions 22.7R2 to 22.7R2.3).
• Exploitability: A successful attack can lead to remote code execution (RCE) without requiring authentication, making it a serious threat to affected systems.
• Mitigation: Apply patches immediately. For Ivanti Connect Secure, the patch is available now (version 22.7R2.5). Patches for Ivanti Policy Secure and ZTA Gateways will be available by January 21, 2025.

2.    CVE-2025-0283: Stack-Based Buffer Overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways

• Severity: High (CVSS 7.0)
• Impact: This vulnerability allows a local, authenticated attacker to escalate privileges, enabling unauthorized access to system functions.
• Affects: Ivanti Connect Secure (versions 22.7R2.4 and earlier), Ivanti Policy Secure (versions 22.7R1.2 and earlier), Ivanti Neurons for ZTA Gateways (versions 22.7R2.3 and earlier).
• Exploitability: Exploiting this flaw requires local authentication, but it can significantly compromise the security of a system by elevating an attacker's privileges.
• Mitigation: For Ivanti Connect Secure, the patch is available now (version 22.7R2.5).Patches for Ivanti Policy Secure and ZTA Gateways will be available by January 21, 2025.