Summary
Ivanti releases security updates that address 2 vulnerabilities, one with a severity of “critical” and one with a severity of “high,” in the Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons products.
Note: A Proof of Concept (PoC) for the exploitation of the CVE-2025-0282 vulnerability is available online.
Note: The vendor states that CVE-2025-0282 is actively being exploited online.
Risk
Vulnerability impact estimate on the reference community: Critical (78.2)
Type
- Remote Code Execution
- Privilege Escalation
Affected products and/or versions
- Ivanti Connect Secure, version 22.7R2.4 and earlier
- Ivanti Connect Secure, version 9.1R18.9 and earlier
- Ivanti Policy Secure, version 22.7R1.2 and earlier
- Ivanti Neurons for Gateway ZTA, version 22.7R2.3 and earlier
Mitigation actions
In line with the vendor’s statements, it is recommended to update the vulnerable products following the instructions in the security bulletin reported in the References section.
In particular, it is recommended, before proceeding with the update, to verify the possible compromise of the device, if affected by the indicated vulnerabilities, using the Integrity Checker Tool (ICT) reported in the vendor’s bulletin.
For product versions for which the vendor has not yet released updates, we recommend following the mitigations reported in the “Solution” section of the security bulletin and monitoring for the release of further updates.
References
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
