CVE-2025-0282 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability

Exploit added

January 8, 2025

Action due

January 15, 2025

Action required

Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.

Description

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-121	Stack-based Buffer Overflow
CWE-787	Out-of-bounds Write

Known Affected Software Configurations

cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2::::::
cpe:2.3:a:ivanti:policy_secure:22.7:r1.1::::::
cpe:2.3:a:ivanti:policy_secure:22.7:r1.2::::::
cpe:2.3:a:ivanti:policy_secure:22.7:r1::::::
cpe:2.3:a:ivanti:connect_secure:22.7:r2.1::::::
cpe:2.3:a:ivanti:connect_secure:22.7:r2.2::::::
cpe:2.3:a:ivanti:connect_secure:22.7:r2.3::::::
cpe:2.3:a:ivanti:connect_secure:22.7:r2.4::::::
cpe:2.3:a:ivanti:connect_secure:22.7:r2::::::

Details

Source:
NVD

Published:
January 8, 2025

Updated:
January 14, 2025

Risk information

CVSS v3

Base score:
9

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2

Not defined