Vulnerability-Lookup

CVE-2025-0282 (GCVE-0-2025-0282)

Vulnerability from cvelistv5 – Published: 2025-01-08 22:15 – Updated: 2025-10-21 22:55

CISA KEV KEVintel KEV

Summary

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

Severity

9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC

Exploitation: active Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-121 - Stack-based Buffer Overflow

Assigner

ivanti

References

7 references

URL	Tags
https://forums.ivanti.com/s/article/Security-Advi…
https://labs.watchtowr.com/exploitation-walkthrou…	third-party-advisory
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource
https://github.com/sfewer-r7/CVE-2025-0282	exploit
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource
https://www.cisa.gov/cisa-mitigation-instructions…
https://cloud.google.com/blog/topics/threat-intel…

Impacted products

3 products

Vendor	Product	Version
Ivanti	Connect Secure	Affected: 22.7R2 , ≤ 22.7R2.4 (custom) Unaffected: 22.7R2.5 (custom)
Ivanti	Policy Secure	Affected: 22.7R1 , ≤ 22.7R1.2 (custom)
Ivanti	Neurons for ZTA gateways	Affected: 22.7R2 , ≤ 22.7R2.3 (custom) Unaffected: 22.7R2.5 (custom)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: fb1548ba-92ce-4eda-8cc5-38d5c34f26ad

Vulnerability ID: CVE-2025-0282

Status: Confirmed

Status Updated: 2025-01-08 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2025-01-08

Asserted: 2025-01-08

Scope

Notes: KEV entry: Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability | Affected: Ivanti / Connect Secure, Policy Secure, and ZTA Gateways | Description: Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution. | Required action: Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service. | Due date: 2025-01-15 | Known ransomware campaign use (KEV): Known | Notes (KEV): CISA Mitigation Instructions: https://www.cisa.gov/cisa-mitigation-instructions-CVE-2025-0282 Additional References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283 ; https://nvd.nist.gov/vuln/detail/CVE-2025-0282

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-121
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Connect Secure, Policy Secure, and ZTA Gateways
Due Date	2025-01-15
Date Added	2025-01-08
Vendorproject	Ivanti
Vulnerabilityname	Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Knownransomwarecampaignuse	Known

References

CVE-2025-0282

Created: 2026-02-02 12:26 UTC | Updated: 2026-02-06 07:17 UTC

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 1568f5bc-4d05-4a4f-b7ad-969b599c7635

Vulnerability ID: CVE-2025-0282

Status: Confirmed

Status Updated: 2025-01-08 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2025-01-08

Asserted: 2025-01-08

Scope

Notes: KEVIntel entry: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons... | Affected: Ivanti / Connect Secure, Policy Secure, Neurons for ZTA gateways | CVSS: 9.0 (CRITICAL) | Used in malware: yes | Not yet in CISA KEV: False

Evidence

Type: Public Report

Signal: Confirmed Compromise

Confidence: 70%

Source: kevintel

Details

Feed	KEVIntel (kevintel.com)
Title	A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons...
Vendor	Ivanti
Product	Connect Secure, Policy Secure, Neurons for ZTA gateways
Added Date	2025-01-08T00:00:00.000Z
Cvss Score	9.0
Epss Score	None
Cvss Severity	CRITICAL
Epss Percentile	None
Used In Malware	yes
Ahead Of Cisa Kev	None
Not Yet In Cisa Kev	False

References

Created: 2026-06-19 12:46 UTC | Updated: 2026-06-19 12:46 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "dateAdded": "2025-01-08",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282"
              },
              "type": "kev"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-0282",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T17:00:49.115686Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:33.039Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/sfewer-r7/CVE-2025-0282"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-01-08T00:00:00.000Z",
            "value": "CVE-2025-0282 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-09T21:45:22.375Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282"
          },
          {
            "url": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Connect Secure",
          "vendor": "Ivanti",
          "versions": [
            {
              "lessThanOrEqual": "22.7R2.4",
              "status": "affected",
              "version": "22.7R2",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "22.7R2.5",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Policy Secure",
          "vendor": "Ivanti",
          "versions": [
            {
              "lessThanOrEqual": "22.7R1.2",
              "status": "affected",
              "version": "22.7R1",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Neurons for ZTA gateways",
          "vendor": "Ivanti",
          "versions": [
            {
              "lessThanOrEqual": "22.7R2.3",
              "status": "affected",
              "version": "22.7R2",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "22.7R2.5",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
            }
          ],
          "value": "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-08T22:15:09.386Z",
        "orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
        "shortName": "ivanti"
      },
      "references": [
        {
          "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
    "assignerShortName": "ivanti",
    "cveId": "CVE-2025-0282",
    "datePublished": "2025-01-08T22:15:09.386Z",
    "dateReserved": "2025-01-06T16:53:11.204Z",
    "dateUpdated": "2025-10-21T22:55:33.039Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-0282",
      "cwes": "[\"CWE-121\"]",
      "dateAdded": "2025-01-08",
      "dueDate": "2025-01-15",
      "knownRansomwareCampaignUse": "Known",
      "notes": "CISA Mitigation Instructions: https://www.cisa.gov/cisa-mitigation-instructions-CVE-2025-0282 Additional References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283 ; https://nvd.nist.gov/vuln/detail/CVE-2025-0282",
      "product": "Connect Secure, Policy Secure, and ZTA Gateways",
      "requiredAction": "Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.",
      "shortDescription": "Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.",
      "vendorProject": "Ivanti",
      "vulnerabilityName": "Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability"
    },
    "epss": {
      "cve": "CVE-2025-0282",
      "date": "2026-06-21",
      "epss": "0.99971",
      "percentile": "0.99978"
    },
    "fkie_nvd": {
      "cisaActionDue": "2025-01-15",
      "cisaExploitAdd": "2025-01-08",
      "cisaRequiredAction": "Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.",
      "cisaVulnerabilityName": "Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.\"}, {\"lang\": \"es\", \"value\": \"Un desbordamiento de b\\u00fafer basado en pila en Ivanti Connect Secure anterior a la versi\\u00f3n 22.7R2.5, Ivanti Policy Secure anterior a la versi\\u00f3n 22.7R1.2 e Ivanti Neurons para puertas de enlace ZTA anteriores a la versi\\u00f3n 22.7R2.3 permite que un atacante remoto no autenticado logre la ejecuci\\u00f3n remota de c\\u00f3digo.\"}]",
      "id": "CVE-2025-0282",
      "lastModified": "2025-01-09T22:15:29.870",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 6.0}]}",
      "published": "2025-01-08T23:15:09.763",
      "references": "[{\"url\": \"https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283\", \"source\": \"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\"}, {\"url\": \"https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
      "vulnStatus": "Undergoing Analysis",
      "weaknesses": "[{\"source\": \"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-121\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-0282\",\"sourceIdentifier\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"published\":\"2025-01-08T23:15:09.763\",\"lastModified\":\"2025-10-24T13:54:58.783\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.\"},{\"lang\":\"es\",\"value\":\"Un desbordamiento de b\u00fafer basado en pila en Ivanti Connect Secure anterior a la versi\u00f3n 22.7R2.5, Ivanti Policy Secure anterior a la versi\u00f3n 22.7R1.2 e Ivanti Neurons para puertas de enlace ZTA anteriores a la versi\u00f3n 22.7R2.3 permite que un atacante remoto no autenticado logre la ejecuci\u00f3n remota de c\u00f3digo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0}]},\"cisaExploitAdd\":\"2025-01-08\",\"cisaActionDue\":\"2025-01-15\",\"cisaRequiredAction\":\"Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.\",\"cisaVulnerabilityName\":\"Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability\",\"weaknesses\":[{\"source\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:connect_secure:22.7:r2:*:*:*:*:*:*\",\"matchCriteriaId\":\"247E71F8-A03B-4097-B7BF-09F8BF3ED4D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:connect_secure:22.7:r2.1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0059C69-4A18-4153-9D9A-5C1B03AD1453\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:connect_secure:22.7:r2.2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC523C88-115E-4CD9-A8CB-AE6E6610F7D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:connect_secure:22.7:r2.3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3447428E-DBCD-4553-B51D-AC08ECAFD881\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A08BAF98-7F05-4596-8BFC-91F1A79D3BD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2:*:*:*:*:*:*\",\"matchCriteriaId\":\"67D43D1D-564D-4ACD-B0FF-3828B95E9864\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2.2:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC8480E0-17C0-4590-950F-D3954E735365\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2.3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3FAF4FB0-A88C-4A87-B6CB-32EF7B415885\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:policy_secure:22.7:r1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD9BE8C2-43EB-4870-A4B7-267CB17A19F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:policy_secure:22.7:r1.1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C8915BB2-C1C0-4189-A847-DDB2EF161D62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D24A8DB-D697-4C60-935D-B08EE36861CB\"}]}]}],\"references\":[{\"url\":\"https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283\",\"source\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Technical Description\"]},{\"url\":\"https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://github.com/sfewer-r7/CVE-2025-0282\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\"]},{\"url\":\"https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282\"}, {\"url\": \"https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day\"}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-01-09T21:45:22.375Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-01-08\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282\"}}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-0282\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-28T17:00:49.115686Z\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-01-08T00:00:00.000Z\", \"value\": \"CVE-2025-0282 added to CISA KEV\"}], \"references\": [{\"url\": \"https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282\", \"tags\": [\"government-resource\"]}, {\"url\": \"https://github.com/sfewer-r7/CVE-2025-0282\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T14:19:39.641Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-100\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-100 Overflow Buffers\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Ivanti\", \"product\": \"Connect Secure\", \"versions\": [{\"status\": \"affected\", \"version\": \"22.7R2\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"22.7R2.4\"}, {\"status\": \"unaffected\", \"version\": \"22.7R2.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Ivanti\", \"product\": \"Policy Secure\", \"versions\": [{\"status\": \"affected\", \"version\": \"22.7R1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"22.7R1.2\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Ivanti\", \"product\": \"Neurons for ZTA gateways\", \"versions\": [{\"status\": \"affected\", \"version\": \"22.7R2\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"22.7R2.3\"}, {\"status\": \"unaffected\", \"version\": \"22.7R2.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121: Stack-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\", \"shortName\": \"ivanti\", \"dateUpdated\": \"2025-01-08T22:15:09.386Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-0282\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T22:55:33.039Z\", \"dateReserved\": \"2025-01-06T16:53:11.204Z\", \"assignerOrgId\": \"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\", \"datePublished\": \"2025-01-08T22:15:09.386Z\", \"assignerShortName\": \"ivanti\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2025-ALE-001

Vulnerability from certfr_alerte - Published: 2025-01-09 - Updated: 2025-05-07

Une vulnérabilité jour-zéro de type débordement de pile a été découverte dans Ivanti Connect Secure (ICS), Policy Secure (IPS), Neurons for Zero Trust Access (ZTA) gateways. Cette vulnérabilité, d'identifiant CVE-2025-0282, permet à un attaquant non authentifié de provoquer une exécution de code arbitraire à distance.

Ivanti indique que cette vulnérabilité est activement exploitée.

Solutions

[Mise à jour du 01 avril 2025]

La CISA [5] fournit des indicateurs de compromission ainsi qu'une règle de détection YARA, servant à déterminer si un équipement est compromis par le maliciel RESURGE.
Note : Ces éléments n'ont pas été qualifiés par le CERT-FR.

[Mise à jour du 14 janvier 2025]

L'éditeur a indiqué avoir publié une nouvelle version externe de l'outil Integrity Check Tool, ICT-V22725 (build 3819), compatible avec les versions 22.x R2.

[Publication initiale]

Les étapes suivantes doivent être suivies indépendamment d'une mise à jour précédemment réalisée vers une version corrective. Dans son billet de blogue [3], Mandiant précise avoir observé une compromission du processus de mise à jour de l'équipement.

En cas d'utilisation d'une appliance virtuelle, réaliser un instantané ;
Exécuter les versions internes et externes du script Integrity Check Tool (ICT) publié par Ivanti :
- l'éditeur indique que la dernière version (ICT-V22725) du script externe ICT est uniquement compatible avec les versions 22.7R2.5 et ultérieures. Il est donc nécessaire d'utiliser une version antérieure de l'outil ;
- il est nécessaire d'exécuter la version externe d'ICT même en cas de résultat négatif de l'outil interne ;
- dans son billet de blogue [3], Mandiant précise qu'il est nécessaire de vérifier que l'ensemble des étapes de l'outil sont réalisées (dix étapes) et de ne pas se fier uniquement au résultat final présenté.
Effectuer une recherche de compromission au niveau de l'équipement :
- effectuer une recherche sur les indicateurs de compromissions présentés par Mandiant [3] ;
  Note : Ces indicateurs n'ont pas été qualifiés par le CERT-FR.
- rechercher toutes traces de latéralisation sur le reste du système d’information, notamment :
  - en cherchant les connexions ou tentatives de connexion vers Internet depuis l'équipement ;
  - puis en cherchant ces adresses IP de destination pour vérifier si d’autres machines ont tenté une connexion.
Si aucune mise à jour correctrice n'est disponible, l'équipement est à risque de compromission; contactez le service d'assistance Ivanti et, dans la mesure du possible, déconnectez l'équipement d'Internet.
En cas d'absence de compromission :
- procéder à une montée de version du micrologiciel (firmware) si le correctif est disponible ;
- surveiller l'activité des comptes et des services liés à l'équipement, notamment le compte de service LDAP, si celui a été configuré.
En cas de compromission détectée :
- signaler l’événement auprès du CERT-FR en mettant en copie vos éventuels CSIRTs métier et consulter les bons réflexes en cas d'intrusion sur votre système d'information [4] ;
- isoler l'équipement du réseau et sauvegarder les journaux liés à l'équipement ;
- effectuer une remise à la configuration de sortie d'usine (Factory Reset) [1] ET procéder à une montée de version du micrologiciel (firmware) si le correctif est disponible ;
  - si aucune mise à jour correctrice n'est disponible, contactez le service d'assistance Ivanti et, dans la mesure du possible, déconnectez l'équipement d'Internet.
- suivre les étapes listées dans le bulletin technique d'Ivanti [2] et en particulier :
  - révoquer et réémettre tous les certificats présents sur les équipements affectés :
    - certificats utilisés pour les machines et/ou pour l’authentification utilisateur (coté client et serveur) ;
    - certificats de signature de code et les certificats TLS pour l’interface exposée.
  - réinitialiser le mot de passe d'administration ;
  - réinitialiser les clés d’API stockées sur l’équipement ;
  - réinitialiser les mots de passe de tout compte local défini sur la passerelle, y compris les comptes de service utilisés dans la configuration liée aux serveurs d’authentification ;
    - révoquer l'ensemble des moyens d'authentification (tickets Kerberos...) des comptes de services utilisés.
  - réinitialiser les authentifications des serveurs de licence.

L'éditeur indique que les correctifs pour Policy Secure et Neurons for ZTA gateways seront disponibles le 21 janvier.

Impacted products

Vendor	Product	Description
Ivanti	Neurons for Zero Trust Access (ZTA) gateways	Neurons for ZTA gateways versions 22.7R2.x antérieures à 22.7R2.5.
Ivanti	Policy Secure (IPS)	Policy Secure (IPS) toutes versions 22.7R1.x
Ivanti	Connect Secure (ICS)	Connect Secure (ICS) versions 22.7R2.x antérieures à 22.7R2.5

References

Title

Publication Time

Tags

Bulletin de sécurité Ivanti Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283	2025-01-08	vendor-advisory
Bulletin de sécurité Ivanti security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways	2025-01-08	vendor-advisory
[3] Billet de blogue Mandiant du 08 janvier 2025	-	other
[1] Bulletin technique Ivanti relatif à la réinitialisation de l'équipement	-	other
Avis CERTFR-2025-AVI-0014 du 09 janvier 2025	-	other
[2] Bulletin technique Ivanti relatif à la remédiation d'un équipement compromis	-	other
[5] La CISA publie un rapport d'analyse sur le logiciel malveillant RESURGE associé à Ivanti Connect Secure	-	other
[4] Les bons réflexes en cas d’intrusion sur un système d’information	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Neurons for ZTA gateways versions 22.7R2.x ant\u00e9rieures \u00e0 22.7R2.5.",
      "product": {
        "name": "Neurons for Zero Trust Access (ZTA) gateways",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    },
    {
      "description": "Policy Secure (IPS) toutes versions 22.7R1.x",
      "product": {
        "name": "Policy Secure (IPS)",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    },
    {
      "description": "Connect Secure (ICS) versions 22.7R2.x ant\u00e9rieures \u00e0 22.7R2.5",
      "product": {
        "name": "Connect Secure (ICS)",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur indique que les correctifs pour Policy Secure et Neurons for ZTA gateways seront disponibles le 21 janvier.",
  "closed_at": "2025-05-07",
  "content": "## Solutions\n\n\u003cspan class=\"important-content\"\u003e**\\[Mise \u00e0 jour du 01 avril 2025\\]** \u003c/span\u003e\n\nLa CISA [5] fournit des indicateurs de compromission ainsi qu\u0027une r\u00e8gle de d\u00e9tection *YARA*, servant \u00e0 d\u00e9terminer si un \u00e9quipement est compromis par le maliciel *RESURGE*.\u003cbr /\u003e\n\u003cem\u003eNote : Ces \u00e9l\u00e9ments n\u0027ont pas \u00e9t\u00e9 qualifi\u00e9s par le CERT-FR.\u003c/em\u003e\n\n**\\[Mise \u00e0 jour du 14 janvier 2025\\]**\n\nL\u0027\u00e9diteur a indiqu\u00e9 avoir publi\u00e9 une nouvelle version externe de l\u0027outil Integrity Check Tool, ICT-V22725 (build 3819), compatible avec les versions 22.x R2. \n\n**[Publication initiale]**\n\nLes \u00e9tapes suivantes doivent \u00eatre suivies ind\u00e9pendamment d\u0027une mise \u00e0 jour pr\u00e9c\u00e9demment r\u00e9alis\u00e9e vers une version corrective. Dans son billet de blogue [3], Mandiant pr\u00e9cise avoir observ\u00e9 une compromission du processus de mise \u00e0 jour de l\u0027\u00e9quipement.\n\n* En cas d\u0027utilisation d\u0027une appliance virtuelle, r\u00e9aliser un instantan\u00e9 ;\n* Ex\u00e9cuter les versions internes et externes du script Integrity Check Tool (ICT) publi\u00e9 par Ivanti : \n    * l\u0027\u00e9diteur indique que la derni\u00e8re version (ICT-V22725) du script externe ICT est uniquement compatible avec les versions 22.7R2.5 et ult\u00e9rieures. Il est donc n\u00e9cessaire d\u0027utiliser une version ant\u00e9rieure de l\u0027outil ;\n    * il est n\u00e9cessaire d\u0027ex\u00e9cuter la version externe d\u0027ICT m\u00eame en cas de r\u00e9sultat n\u00e9gatif de l\u0027outil interne ;\n    * dans son billet de blogue [3], Mandiant pr\u00e9cise qu\u0027il est n\u00e9cessaire de v\u00e9rifier que l\u0027ensemble des \u00e9tapes de l\u0027outil sont r\u00e9alis\u00e9es (dix \u00e9tapes) et de ne pas se fier uniquement au r\u00e9sultat final pr\u00e9sent\u00e9.\n* Effectuer une recherche de compromission au niveau de l\u0027\u00e9quipement :\n    * effectuer une recherche sur les indicateurs de compromissions pr\u00e9sent\u00e9s par Mandiant [3] ; \u003cbr\u003e*Note : Ces indicateurs n\u0027ont pas \u00e9t\u00e9 qualifi\u00e9s par le CERT-FR.*\n    * rechercher toutes traces de lat\u00e9ralisation sur le reste du syst\u00e8me d\u2019information, notamment :\n        * en cherchant les connexions ou tentatives de connexion vers Internet depuis l\u0027\u00e9quipement ;\n        * puis en cherchant ces adresses IP de destination pour v\u00e9rifier si d\u2019autres machines ont tent\u00e9 une connexion.\n\n* Si aucune mise \u00e0 jour correctrice n\u0027est disponible, l\u0027\u00e9quipement est \u00e0 risque de compromission; contactez le service d\u0027assistance Ivanti et, dans la mesure du possible, d\u00e9connectez l\u0027\u00e9quipement d\u0027Internet.\n\n* En cas d\u0027absence de compromission :\n    * proc\u00e9der \u00e0 une mont\u00e9e de version du micrologiciel (*firmware*) si le correctif est disponible ;\n    * surveiller l\u0027activit\u00e9 des comptes et des services li\u00e9s \u00e0 l\u0027\u00e9quipement, notamment le compte de service LDAP, si celui a \u00e9t\u00e9 configur\u00e9.\n\n* En cas de compromission d\u00e9tect\u00e9e :\n    * signaler l\u2019\u00e9v\u00e9nement aupr\u00e8s du CERT-FR en mettant en copie vos \u00e9ventuels CSIRTs m\u00e9tier et consulter les bons r\u00e9flexes en cas d\u0027intrusion sur votre syst\u00e8me d\u0027information [4] ;\n    * isoler l\u0027\u00e9quipement du r\u00e9seau et sauvegarder les journaux li\u00e9s \u00e0 l\u0027\u00e9quipement ;\n    * effectuer une remise \u00e0 la configuration de sortie d\u0027usine (*Factory Reset*) [1] ET proc\u00e9der \u00e0 une mont\u00e9e de version du micrologiciel (*firmware*) si le correctif est disponible ;\n        * si aucune mise \u00e0 jour correctrice n\u0027est disponible, contactez le service d\u0027assistance Ivanti et, dans la mesure du possible, d\u00e9connectez l\u0027\u00e9quipement d\u0027Internet.\n    * suivre les \u00e9tapes list\u00e9es dans le bulletin technique d\u0027Ivanti [2] et en particulier :\n        * r\u00e9voquer et r\u00e9\u00e9mettre tous les certificats pr\u00e9sents sur les \u00e9quipements affect\u00e9s :\n            * certificats utilis\u00e9s pour les machines et/ou pour l\u2019authentification utilisateur (cot\u00e9 client et serveur) ;\n            * certificats de signature de code et les certificats TLS pour l\u2019interface expos\u00e9e.\n        * r\u00e9initialiser le mot de passe d\u0027administration ;\n        * r\u00e9initialiser les cl\u00e9s d\u2019API stock\u00e9es sur l\u2019\u00e9quipement ;\n        * r\u00e9initialiser les mots de passe de tout compte local d\u00e9fini sur la passerelle, y compris les comptes de service utilis\u00e9s dans la configuration li\u00e9e aux serveurs d\u2019authentification ;\n            * r\u00e9voquer l\u0027ensemble des moyens d\u0027authentification (tickets Kerberos...) des comptes de services utilis\u00e9s.\n        * r\u00e9initialiser les authentifications des serveurs de licence.\n",
  "cves": [
    {
      "name": "CVE-2025-0282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0282"
    }
  ],
  "initial_release_date": "2025-01-09T00:00:00",
  "last_revision_date": "2025-05-07T00:00:00",
  "links": [
    {
      "title": "[3] Billet de blogue Mandiant du 08 janvier 2025",
      "url": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day"
    },
    {
      "title": "[1] Bulletin technique Ivanti relatif \u00e0 la r\u00e9initialisation de l\u0027\u00e9quipement",
      "url": "https://forums.ivanti.com/s/article/KB22964?language=en_US"
    },
    {
      "title": "Avis CERTFR-2025-AVI-0014 du 09 janvier 2025",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-0014/"
    },
    {
      "title": "[2] Bulletin technique Ivanti relatif \u00e0 la rem\u00e9diation d\u0027un \u00e9quipement compromis",
      "url": "https://forums.ivanti.com/s/article/Recovery-Steps?language=en_US"
    },
    {
      "title": "[5] La CISA publie un rapport d\u0027analyse sur le logiciel malveillant RESURGE associ\u00e9 \u00e0 Ivanti Connect Secure ",
      "url": "https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure"
    },
    {
      "title": "[4] Les bons r\u00e9flexes en cas d\u2019intrusion sur un syst\u00e8me d\u2019information",
      "url": "https://www.cert.ssi.gouv.fr/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/"
    }
  ],
  "reference": "CERTFR-2025-ALE-001",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-01-09T00:00:00.000000"
    },
    {
      "description": "     Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2025-05-07T00:00:00.000000"
    },
    {
      "description": "Ajout de pr\u00e9cisions concernant l\u0027outil Integrity Check Tool",
      "revision_date": "2025-01-14T00:00:00.000000"
    },
    {
      "description": "Ajout d\u0027une r\u00e9f\u00e9rence d\u0027un rapport d\u0027analyse de la CISA",
      "revision_date": "2025-04-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 jour-z\u00e9ro de type d\u00e9bordement de pile a \u00e9t\u00e9 d\u00e9couverte dans Ivanti Connect Secure (ICS), Policy Secure (IPS), Neurons for Zero Trust Access (ZTA) gateways. Cette vuln\u00e9rabilit\u00e9, d\u0027identifiant CVE-2025-0282, permet \u00e0 un attaquant non authentifi\u00e9 de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n\nIvanti indique que cette vuln\u00e9rabilit\u00e9 est activement exploit\u00e9e. ",
  "title": "[M\u00e0J] Vuln\u00e9rabilit\u00e9 dans les produits Ivanti",
  "vendor_advisories": [
    {
      "published_at": "2025-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Ivanti Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283"
    },
    {
      "published_at": "2025-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Ivanti security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways",
      "url": "https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways"
    }
  ]
}

CERTFR-2025-ALE-001

Vulnerability from certfr_alerte - Published: 2025-01-09 - Updated: 2025-05-07

Ivanti indique que cette vulnérabilité est activement exploitée.

Solutions

[Mise à jour du 01 avril 2025]

[Mise à jour du 14 janvier 2025]

L'éditeur a indiqué avoir publié une nouvelle version externe de l'outil Integrity Check Tool, ICT-V22725 (build 3819), compatible avec les versions 22.x R2.

[Publication initiale]

En cas d'utilisation d'une appliance virtuelle, réaliser un instantané ;
Exécuter les versions internes et externes du script Integrity Check Tool (ICT) publié par Ivanti :
- l'éditeur indique que la dernière version (ICT-V22725) du script externe ICT est uniquement compatible avec les versions 22.7R2.5 et ultérieures. Il est donc nécessaire d'utiliser une version antérieure de l'outil ;
- il est nécessaire d'exécuter la version externe d'ICT même en cas de résultat négatif de l'outil interne ;
- dans son billet de blogue [3], Mandiant précise qu'il est nécessaire de vérifier que l'ensemble des étapes de l'outil sont réalisées (dix étapes) et de ne pas se fier uniquement au résultat final présenté.
Effectuer une recherche de compromission au niveau de l'équipement :
- effectuer une recherche sur les indicateurs de compromissions présentés par Mandiant [3] ;
  Note : Ces indicateurs n'ont pas été qualifiés par le CERT-FR.
- rechercher toutes traces de latéralisation sur le reste du système d’information, notamment :
  - en cherchant les connexions ou tentatives de connexion vers Internet depuis l'équipement ;
  - puis en cherchant ces adresses IP de destination pour vérifier si d’autres machines ont tenté une connexion.
Si aucune mise à jour correctrice n'est disponible, l'équipement est à risque de compromission; contactez le service d'assistance Ivanti et, dans la mesure du possible, déconnectez l'équipement d'Internet.
En cas d'absence de compromission :
- procéder à une montée de version du micrologiciel (firmware) si le correctif est disponible ;
- surveiller l'activité des comptes et des services liés à l'équipement, notamment le compte de service LDAP, si celui a été configuré.
En cas de compromission détectée :
- signaler l’événement auprès du CERT-FR en mettant en copie vos éventuels CSIRTs métier et consulter les bons réflexes en cas d'intrusion sur votre système d'information [4] ;
- isoler l'équipement du réseau et sauvegarder les journaux liés à l'équipement ;
- effectuer une remise à la configuration de sortie d'usine (Factory Reset) [1] ET procéder à une montée de version du micrologiciel (firmware) si le correctif est disponible ;
  - si aucune mise à jour correctrice n'est disponible, contactez le service d'assistance Ivanti et, dans la mesure du possible, déconnectez l'équipement d'Internet.
- suivre les étapes listées dans le bulletin technique d'Ivanti [2] et en particulier :
  - révoquer et réémettre tous les certificats présents sur les équipements affectés :
    - certificats utilisés pour les machines et/ou pour l’authentification utilisateur (coté client et serveur) ;
    - certificats de signature de code et les certificats TLS pour l’interface exposée.
  - réinitialiser le mot de passe d'administration ;
  - réinitialiser les clés d’API stockées sur l’équipement ;
  - réinitialiser les mots de passe de tout compte local défini sur la passerelle, y compris les comptes de service utilisés dans la configuration liée aux serveurs d’authentification ;
    - révoquer l'ensemble des moyens d'authentification (tickets Kerberos...) des comptes de services utilisés.
  - réinitialiser les authentifications des serveurs de licence.

L'éditeur indique que les correctifs pour Policy Secure et Neurons for ZTA gateways seront disponibles le 21 janvier.

Impacted products

Vendor	Product	Description
Ivanti	Neurons for Zero Trust Access (ZTA) gateways	Neurons for ZTA gateways versions 22.7R2.x antérieures à 22.7R2.5.
Ivanti	Policy Secure (IPS)	Policy Secure (IPS) toutes versions 22.7R1.x
Ivanti	Connect Secure (ICS)	Connect Secure (ICS) versions 22.7R2.x antérieures à 22.7R2.5

References

Title

Publication Time

Tags

Bulletin de sécurité Ivanti Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283	2025-01-08	vendor-advisory
Bulletin de sécurité Ivanti security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways	2025-01-08	vendor-advisory
[3] Billet de blogue Mandiant du 08 janvier 2025	-	other
[1] Bulletin technique Ivanti relatif à la réinitialisation de l'équipement	-	other
Avis CERTFR-2025-AVI-0014 du 09 janvier 2025	-	other
[2] Bulletin technique Ivanti relatif à la remédiation d'un équipement compromis	-	other
[5] La CISA publie un rapport d'analyse sur le logiciel malveillant RESURGE associé à Ivanti Connect Secure	-	other
[4] Les bons réflexes en cas d’intrusion sur un système d’information	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Neurons for ZTA gateways versions 22.7R2.x ant\u00e9rieures \u00e0 22.7R2.5.",
      "product": {
        "name": "Neurons for Zero Trust Access (ZTA) gateways",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    },
    {
      "description": "Policy Secure (IPS) toutes versions 22.7R1.x",
      "product": {
        "name": "Policy Secure (IPS)",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    },
    {
      "description": "Connect Secure (ICS) versions 22.7R2.x ant\u00e9rieures \u00e0 22.7R2.5",
      "product": {
        "name": "Connect Secure (ICS)",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur indique que les correctifs pour Policy Secure et Neurons for ZTA gateways seront disponibles le 21 janvier.",
  "closed_at": "2025-05-07",
  "content": "## Solutions\n\n\u003cspan class=\"important-content\"\u003e**\\[Mise \u00e0 jour du 01 avril 2025\\]** \u003c/span\u003e\n\nLa CISA [5] fournit des indicateurs de compromission ainsi qu\u0027une r\u00e8gle de d\u00e9tection *YARA*, servant \u00e0 d\u00e9terminer si un \u00e9quipement est compromis par le maliciel *RESURGE*.\u003cbr /\u003e\n\u003cem\u003eNote : Ces \u00e9l\u00e9ments n\u0027ont pas \u00e9t\u00e9 qualifi\u00e9s par le CERT-FR.\u003c/em\u003e\n\n**\\[Mise \u00e0 jour du 14 janvier 2025\\]**\n\nL\u0027\u00e9diteur a indiqu\u00e9 avoir publi\u00e9 une nouvelle version externe de l\u0027outil Integrity Check Tool, ICT-V22725 (build 3819), compatible avec les versions 22.x R2. \n\n**[Publication initiale]**\n\nLes \u00e9tapes suivantes doivent \u00eatre suivies ind\u00e9pendamment d\u0027une mise \u00e0 jour pr\u00e9c\u00e9demment r\u00e9alis\u00e9e vers une version corrective. Dans son billet de blogue [3], Mandiant pr\u00e9cise avoir observ\u00e9 une compromission du processus de mise \u00e0 jour de l\u0027\u00e9quipement.\n\n* En cas d\u0027utilisation d\u0027une appliance virtuelle, r\u00e9aliser un instantan\u00e9 ;\n* Ex\u00e9cuter les versions internes et externes du script Integrity Check Tool (ICT) publi\u00e9 par Ivanti : \n    * l\u0027\u00e9diteur indique que la derni\u00e8re version (ICT-V22725) du script externe ICT est uniquement compatible avec les versions 22.7R2.5 et ult\u00e9rieures. Il est donc n\u00e9cessaire d\u0027utiliser une version ant\u00e9rieure de l\u0027outil ;\n    * il est n\u00e9cessaire d\u0027ex\u00e9cuter la version externe d\u0027ICT m\u00eame en cas de r\u00e9sultat n\u00e9gatif de l\u0027outil interne ;\n    * dans son billet de blogue [3], Mandiant pr\u00e9cise qu\u0027il est n\u00e9cessaire de v\u00e9rifier que l\u0027ensemble des \u00e9tapes de l\u0027outil sont r\u00e9alis\u00e9es (dix \u00e9tapes) et de ne pas se fier uniquement au r\u00e9sultat final pr\u00e9sent\u00e9.\n* Effectuer une recherche de compromission au niveau de l\u0027\u00e9quipement :\n    * effectuer une recherche sur les indicateurs de compromissions pr\u00e9sent\u00e9s par Mandiant [3] ; \u003cbr\u003e*Note : Ces indicateurs n\u0027ont pas \u00e9t\u00e9 qualifi\u00e9s par le CERT-FR.*\n    * rechercher toutes traces de lat\u00e9ralisation sur le reste du syst\u00e8me d\u2019information, notamment :\n        * en cherchant les connexions ou tentatives de connexion vers Internet depuis l\u0027\u00e9quipement ;\n        * puis en cherchant ces adresses IP de destination pour v\u00e9rifier si d\u2019autres machines ont tent\u00e9 une connexion.\n\n* Si aucune mise \u00e0 jour correctrice n\u0027est disponible, l\u0027\u00e9quipement est \u00e0 risque de compromission; contactez le service d\u0027assistance Ivanti et, dans la mesure du possible, d\u00e9connectez l\u0027\u00e9quipement d\u0027Internet.\n\n* En cas d\u0027absence de compromission :\n    * proc\u00e9der \u00e0 une mont\u00e9e de version du micrologiciel (*firmware*) si le correctif est disponible ;\n    * surveiller l\u0027activit\u00e9 des comptes et des services li\u00e9s \u00e0 l\u0027\u00e9quipement, notamment le compte de service LDAP, si celui a \u00e9t\u00e9 configur\u00e9.\n\n* En cas de compromission d\u00e9tect\u00e9e :\n    * signaler l\u2019\u00e9v\u00e9nement aupr\u00e8s du CERT-FR en mettant en copie vos \u00e9ventuels CSIRTs m\u00e9tier et consulter les bons r\u00e9flexes en cas d\u0027intrusion sur votre syst\u00e8me d\u0027information [4] ;\n    * isoler l\u0027\u00e9quipement du r\u00e9seau et sauvegarder les journaux li\u00e9s \u00e0 l\u0027\u00e9quipement ;\n    * effectuer une remise \u00e0 la configuration de sortie d\u0027usine (*Factory Reset*) [1] ET proc\u00e9der \u00e0 une mont\u00e9e de version du micrologiciel (*firmware*) si le correctif est disponible ;\n        * si aucune mise \u00e0 jour correctrice n\u0027est disponible, contactez le service d\u0027assistance Ivanti et, dans la mesure du possible, d\u00e9connectez l\u0027\u00e9quipement d\u0027Internet.\n    * suivre les \u00e9tapes list\u00e9es dans le bulletin technique d\u0027Ivanti [2] et en particulier :\n        * r\u00e9voquer et r\u00e9\u00e9mettre tous les certificats pr\u00e9sents sur les \u00e9quipements affect\u00e9s :\n            * certificats utilis\u00e9s pour les machines et/ou pour l\u2019authentification utilisateur (cot\u00e9 client et serveur) ;\n            * certificats de signature de code et les certificats TLS pour l\u2019interface expos\u00e9e.\n        * r\u00e9initialiser le mot de passe d\u0027administration ;\n        * r\u00e9initialiser les cl\u00e9s d\u2019API stock\u00e9es sur l\u2019\u00e9quipement ;\n        * r\u00e9initialiser les mots de passe de tout compte local d\u00e9fini sur la passerelle, y compris les comptes de service utilis\u00e9s dans la configuration li\u00e9e aux serveurs d\u2019authentification ;\n            * r\u00e9voquer l\u0027ensemble des moyens d\u0027authentification (tickets Kerberos...) des comptes de services utilis\u00e9s.\n        * r\u00e9initialiser les authentifications des serveurs de licence.\n",
  "cves": [
    {
      "name": "CVE-2025-0282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0282"
    }
  ],
  "initial_release_date": "2025-01-09T00:00:00",
  "last_revision_date": "2025-05-07T00:00:00",
  "links": [
    {
      "title": "[3] Billet de blogue Mandiant du 08 janvier 2025",
      "url": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day"
    },
    {
      "title": "[1] Bulletin technique Ivanti relatif \u00e0 la r\u00e9initialisation de l\u0027\u00e9quipement",
      "url": "https://forums.ivanti.com/s/article/KB22964?language=en_US"
    },
    {
      "title": "Avis CERTFR-2025-AVI-0014 du 09 janvier 2025",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-0014/"
    },
    {
      "title": "[2] Bulletin technique Ivanti relatif \u00e0 la rem\u00e9diation d\u0027un \u00e9quipement compromis",
      "url": "https://forums.ivanti.com/s/article/Recovery-Steps?language=en_US"
    },
    {
      "title": "[5] La CISA publie un rapport d\u0027analyse sur le logiciel malveillant RESURGE associ\u00e9 \u00e0 Ivanti Connect Secure ",
      "url": "https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure"
    },
    {
      "title": "[4] Les bons r\u00e9flexes en cas d\u2019intrusion sur un syst\u00e8me d\u2019information",
      "url": "https://www.cert.ssi.gouv.fr/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/"
    }
  ],
  "reference": "CERTFR-2025-ALE-001",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-01-09T00:00:00.000000"
    },
    {
      "description": "     Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2025-05-07T00:00:00.000000"
    },
    {
      "description": "Ajout de pr\u00e9cisions concernant l\u0027outil Integrity Check Tool",
      "revision_date": "2025-01-14T00:00:00.000000"
    },
    {
      "description": "Ajout d\u0027une r\u00e9f\u00e9rence d\u0027un rapport d\u0027analyse de la CISA",
      "revision_date": "2025-04-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 jour-z\u00e9ro de type d\u00e9bordement de pile a \u00e9t\u00e9 d\u00e9couverte dans Ivanti Connect Secure (ICS), Policy Secure (IPS), Neurons for Zero Trust Access (ZTA) gateways. Cette vuln\u00e9rabilit\u00e9, d\u0027identifiant CVE-2025-0282, permet \u00e0 un attaquant non authentifi\u00e9 de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n\nIvanti indique que cette vuln\u00e9rabilit\u00e9 est activement exploit\u00e9e. ",
  "title": "[M\u00e0J] Vuln\u00e9rabilit\u00e9 dans les produits Ivanti",
  "vendor_advisories": [
    {
      "published_at": "2025-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Ivanti Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283"
    },
    {
      "published_at": "2025-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Ivanti security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways",
      "url": "https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways"
    }
  ]
}

CERTFR-2025-AVI-0014

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Ivanti. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une élévation de privilèges.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur indique que les correctifs pour Policy Secure et Neurons for ZTA gateways seront disponibles le 21 janvier. Les versions 9.x de Connect Secure ne bénéficieront pas de correctifs de sécurité pour la CVE-2025-0283 (la vulnérabilité CVE-2025-0282 n'affecte pas cette branche).

Veuillez vous référer à l'alerte CERTFR-2025-ALE-001 pour la procédure de mise à jour de ces équipements.

Impacted products

Vendor	Product	Description
Ivanti	Connect Secure (ICS)	Connect Secure (ICS) versions antérieures à 22.7R2.5
Ivanti	Neurons for Zero Trust Access (ZTA) gateways	Neurons for ZTA gateways versions antérieures à 22.7R2.5.
Ivanti	Policy Secure (IPS)	Policy Secure (IPS) toutes versions.

References

Title

Publication Time

Tags

Bulletin de sécurité Ivanti Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283	2025-01-08	vendor-advisory
Bulletin de sécurité Ivanti security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways	2025-01-08	vendor-advisory
Alerte CERTFR-2025-ALE-001 du 09 janvier 2025	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Connect Secure (ICS) versions ant\u00e9rieures \u00e0 22.7R2.5 ",
      "product": {
        "name": "Connect Secure (ICS)",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    },
    {
      "description": "Neurons for ZTA gateways versions ant\u00e9rieures \u00e0 22.7R2.5.",
      "product": {
        "name": "Neurons for Zero Trust Access (ZTA) gateways",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    },
    {
      "description": "Policy Secure (IPS) toutes versions.",
      "product": {
        "name": "Policy Secure (IPS)",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur indique que les correctifs pour Policy Secure et Neurons for ZTA gateways seront disponibles le 21 janvier. Les versions 9.x de Connect Secure ne b\u00e9n\u00e9ficieront pas de correctifs de s\u00e9curit\u00e9 pour la CVE-2025-0283 (la vuln\u00e9rabilit\u00e9 CVE-2025-0282 n\u0027affecte pas cette branche).\n\nVeuillez vous r\u00e9f\u00e9rer \u00e0 l\u0027alerte CERTFR-2025-ALE-001 pour la proc\u00e9dure de mise \u00e0 jour de ces \u00e9quipements.\n",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-0282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0282"
    },
    {
      "name": "CVE-2025-0283",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0283"
    }
  ],
  "links": [
    {
      "title": "Alerte CERTFR-2025-ALE-001 du 09 janvier 2025",
      "url": "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2025-ALE-001/"
    }
  ],
  "reference": "CERTFR-2025-AVI-0014",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-01-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Ivanti. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance et une \u00e9l\u00e9vation de privil\u00e8ges.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Ivanti",
  "vendor_advisories": [
    {
      "published_at": "2025-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Ivanti Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283"
    },
    {
      "published_at": "2025-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Ivanti security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways",
      "url": "https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways"
    }
  ]
}

CERTFR-2025-AVI-0014

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Veuillez vous référer à l'alerte CERTFR-2025-ALE-001 pour la procédure de mise à jour de ces équipements.

Impacted products

Vendor	Product	Description
Ivanti	Connect Secure (ICS)	Connect Secure (ICS) versions antérieures à 22.7R2.5
Ivanti	Neurons for Zero Trust Access (ZTA) gateways	Neurons for ZTA gateways versions antérieures à 22.7R2.5.
Ivanti	Policy Secure (IPS)	Policy Secure (IPS) toutes versions.

References

Title

Publication Time

Tags

Bulletin de sécurité Ivanti Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283	2025-01-08	vendor-advisory
Bulletin de sécurité Ivanti security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways	2025-01-08	vendor-advisory
Alerte CERTFR-2025-ALE-001 du 09 janvier 2025	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Connect Secure (ICS) versions ant\u00e9rieures \u00e0 22.7R2.5 ",
      "product": {
        "name": "Connect Secure (ICS)",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    },
    {
      "description": "Neurons for ZTA gateways versions ant\u00e9rieures \u00e0 22.7R2.5.",
      "product": {
        "name": "Neurons for Zero Trust Access (ZTA) gateways",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    },
    {
      "description": "Policy Secure (IPS) toutes versions.",
      "product": {
        "name": "Policy Secure (IPS)",
        "vendor": {
          "name": "Ivanti",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur indique que les correctifs pour Policy Secure et Neurons for ZTA gateways seront disponibles le 21 janvier. Les versions 9.x de Connect Secure ne b\u00e9n\u00e9ficieront pas de correctifs de s\u00e9curit\u00e9 pour la CVE-2025-0283 (la vuln\u00e9rabilit\u00e9 CVE-2025-0282 n\u0027affecte pas cette branche).\n\nVeuillez vous r\u00e9f\u00e9rer \u00e0 l\u0027alerte CERTFR-2025-ALE-001 pour la proc\u00e9dure de mise \u00e0 jour de ces \u00e9quipements.\n",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-0282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0282"
    },
    {
      "name": "CVE-2025-0283",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0283"
    }
  ],
  "links": [
    {
      "title": "Alerte CERTFR-2025-ALE-001 du 09 janvier 2025",
      "url": "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2025-ALE-001/"
    }
  ],
  "reference": "CERTFR-2025-AVI-0014",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-01-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Ivanti. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance et une \u00e9l\u00e9vation de privil\u00e8ges.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Ivanti",
  "vendor_advisories": [
    {
      "published_at": "2025-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Ivanti Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283"
    },
    {
      "published_at": "2025-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Ivanti security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways",
      "url": "https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways"
    }
  ]
}

BDU:2025-00108

Vulnerability from fstec - Published: 08.01.2025

Title

Уязвимость средств контроля сетевого доступа Ivanti Connect Secure (ранее Pulse Connect Secure), Ivanti Policy Secure и средства управления IT-сервисами Ivanti Neurons for ZTA, связанная с чтением данных за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость средств контроля сетевого доступа Ivanti Connect Secure (ранее Pulse Connect Secure), Ivanti Policy Secure и средства управления IT-сервисами Ivanti Neurons for ZTA связана с чтением данных за границами буфера в памяти. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код

Severity


                    
                      AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Vendor

Ivanti

Software Name

Connect Secure, Policy Secure, Ivanti Neurons for Zero Trust Access (nZTA)

Software Version

от 22.7R2 до 22.7R2.5 (Connect Secure), от 22.7R1 до 22.7R1.2 включительно (Policy Secure), до 22.7R1.2 включительно (Ivanti Neurons for Zero Trust Access (nZTA))

Possible Mitigations

Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков. Компенсирующие меры: - использование средств обнаружения и предотвращения вторжений (IDS/IPS) для отслеживания попыток эксплуатации уязвимости; - использование инструмента Integrity Checker Tool (ICT) для выявления средств эксплуатации уязвимости; - использование SIEM-систем для выявления попыток эксплуатации уязвимости; - ограничение доступа к уязвимому программному обеспечению из внешних сетей (Интернет). Использование рекомендаций производителя: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

Reference

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?e=48754805

CWE

CWE-121, CWE-125

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Ivanti",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 22.7R2 \u0434\u043e 22.7R2.5 (Connect Secure), \u043e\u0442 22.7R1 \u0434\u043e 22.7R1.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Policy Secure), \u0434\u043e 22.7R1.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Ivanti Neurons for Zero Trust Access (nZTA))",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432. \n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 (IDS/IPS) \u0434\u043b\u044f \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u043f\u043e\u043f\u044b\u0442\u043e\u043a \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 Integrity Checker Tool (ICT) \u0434\u043b\u044f \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 SIEM-\u0441\u0438\u0441\u0442\u0435\u043c \u0434\u043b\u044f \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u043e\u043f\u044b\u0442\u043e\u043a \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e \u0438\u0437 \u0432\u043d\u0435\u0448\u043d\u0438\u0445 \u0441\u0435\u0442\u0435\u0439 (\u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442).\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "08.01.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "09.01.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "09.01.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-00108",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-0282",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Connect Secure, Policy Secure, Ivanti Neurons for Zero Trust Access (nZTA)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 Ivanti Connect Secure (\u0440\u0430\u043d\u0435\u0435 Pulse Connect Secure), Ivanti Policy Secure \u0438 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f IT-\u0441\u0435\u0440\u0432\u0438\u0441\u0430\u043c\u0438 Ivanti Neurons for ZTA, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0447\u0442\u0435\u043d\u0438\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u0430\u043c\u0438 \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u0441\u0442\u0435\u043a\u0435 (CWE-121), \u0427\u0442\u0435\u043d\u0438\u0435 \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u0430\u043c\u0438 \u0431\u0443\u0444\u0435\u0440\u0430 (CWE-125)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 Ivanti Connect Secure (\u0440\u0430\u043d\u0435\u0435 Pulse Connect Secure), Ivanti Policy Secure \u0438 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f IT-\u0441\u0435\u0440\u0432\u0438\u0441\u0430\u043c\u0438 Ivanti Neurons for ZTA \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0447\u0442\u0435\u043d\u0438\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u0430\u043c\u0438 \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US\nhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?e=48754805",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0437\u0430\u0449\u0438\u0442\u044b",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-121, CWE-125",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,6)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9)"
}

FKIE_CVE-2025-0282

Vulnerability from fkie_nvd - Published: 2025-01-08 23:15 - Updated: 2026-06-17 08:26

CISA KEV KEVintel KEV

Severity

9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
3c1d8aa1-5a33-4ea4-8992-aadd6440af75	https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day	Exploit, Technical Description
af854a3a-2127-422b-91ae-364da2661108	https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282	Third Party Advisory, US Government Resource
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/sfewer-r7/CVE-2025-0282	Exploit
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/	Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282	US Government Resource
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282	US Government Resource

Impacted products

Vendor	Product	Version
ivanti	connect_secure	22.7
ivanti	connect_secure	22.7
ivanti	connect_secure	22.7
ivanti	connect_secure	22.7
ivanti	connect_secure	22.7
ivanti	neurons_for_zero-trust_access	22.7
ivanti	neurons_for_zero-trust_access	22.7
ivanti	neurons_for_zero-trust_access	22.7
ivanti	policy_secure	22.7
ivanti	policy_secure	22.7
ivanti	policy_secure	22.7

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Connect Secure",
          "vendor": "Ivanti",
          "versions": [
            {
              "lessThanOrEqual": "22.7R2.4",
              "status": "affected",
              "version": "22.7R2",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "22.7R2.5",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Policy Secure",
          "vendor": "Ivanti",
          "versions": [
            {
              "lessThanOrEqual": "22.7R1.2",
              "status": "affected",
              "version": "22.7R1",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Neurons for ZTA gateways",
          "vendor": "Ivanti",
          "versions": [
            {
              "lessThanOrEqual": "22.7R2.3",
              "status": "affected",
              "version": "22.7R2",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "22.7R2.5",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75"
    }
  ],
  "cisaActionDue": "2025-01-15",
  "cisaExploitAdd": "2025-01-08",
  "cisaRequiredAction": "Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.",
  "cisaVulnerabilityName": "Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ivanti:connect_secure:22.7:r2:*:*:*:*:*:*",
              "matchCriteriaId": "247E71F8-A03B-4097-B7BF-09F8BF3ED4D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:connect_secure:22.7:r2.1:*:*:*:*:*:*",
              "matchCriteriaId": "E0059C69-4A18-4153-9D9A-5C1B03AD1453",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:connect_secure:22.7:r2.2:*:*:*:*:*:*",
              "matchCriteriaId": "FC523C88-115E-4CD9-A8CB-AE6E6610F7D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:connect_secure:22.7:r2.3:*:*:*:*:*:*",
              "matchCriteriaId": "3447428E-DBCD-4553-B51D-AC08ECAFD881",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*",
              "matchCriteriaId": "A08BAF98-7F05-4596-8BFC-91F1A79D3BD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2:*:*:*:*:*:*",
              "matchCriteriaId": "67D43D1D-564D-4ACD-B0FF-3828B95E9864",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2.2:*:*:*:*:*:*",
              "matchCriteriaId": "BC8480E0-17C0-4590-950F-D3954E735365",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2.3:*:*:*:*:*:*",
              "matchCriteriaId": "3FAF4FB0-A88C-4A87-B6CB-32EF7B415885",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:policy_secure:22.7:r1:*:*:*:*:*:*",
              "matchCriteriaId": "FD9BE8C2-43EB-4870-A4B7-267CB17A19F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:policy_secure:22.7:r1.1:*:*:*:*:*:*",
              "matchCriteriaId": "C8915BB2-C1C0-4189-A847-DDB2EF161D62",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*:*:*",
              "matchCriteriaId": "8D24A8DB-D697-4C60-935D-B08EE36861CB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution."
    },
    {
      "lang": "es",
      "value": "Un desbordamiento de b\u00fafer basado en pila en Ivanti Connect Secure anterior a la versi\u00f3n 22.7R2.5, Ivanti Policy Secure anterior a la versi\u00f3n 22.7R1.2 e Ivanti Neurons para puertas de enlace ZTA anteriores a la versi\u00f3n 22.7R2.3 permite que un atacante remoto no autenticado logre la ejecuci\u00f3n remota de c\u00f3digo."
    }
  ],
  "id": "CVE-2025-0282",
  "lastModified": "2026-06-17T08:26:12.503",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-0282",
          "options": [
            {
              "exploitation": "active"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2025-01-28T17:00:49.115686Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2025-01-08T23:15:09.763",
  "references": [
    {
      "source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Technical Description"
      ],
      "url": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/sfewer-r7/CVE-2025-0282"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282"
    }
  ],
  "sourceIdentifier": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-121"
        }
      ],
      "source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-RF94-F4R9-6GXH

Vulnerability from github – Published: 2025-01-09 00:31 – Updated: 2025-10-22 00:33

Details

Severity

9.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-0282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T23:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.",
  "id": "GHSA-rf94-f4r9-6gxh",
  "modified": "2025-10-22T00:33:12Z",
  "published": "2025-01-09T00:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0282"
    },
    {
      "type": "WEB",
      "url": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sfewer-r7/CVE-2025-0282"
    },
    {
      "type": "WEB",
      "url": "https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282"
    },
    {
      "type": "WEB",
      "url": "https://www.synacktiv.com/sites/default/files/2024-01/synacktiv-pulseconnectsecure-multiple-vulnerabilities.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

NCSC-2025-0005

Vulnerability from csaf_ncscnl - Published: 2025-01-08 18:55 - Updated: 2025-01-17 08:54

Summary

Kwetsbaarheden verholpen in Ivanti Connect Secure en Policy Secure

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Ivanti heeft kwetsbaarheden verholpen in Connect Secure en Policy Secure.

Interpretaties: De eerste kwetsbaarheid (CVE-2025-0282) kan door kwaadwillenden misbruikt worden om zonder authenticatie op afstand willekeurige code uit te voeren. De tweede kwetsbaarheid (CVE-2025-0283) kan door een lokaal geauthenticeerde kwaadwillende misbruikt worden om de rechten te verhogen. Ivanti geeft aan dat CVE-2025-0282 actief misbruikt word bij gebruikers van Connect Secure. Er is Proof-of-Concept-code beschikbaar. Ivanti adviseert om de interne en externe Integrity Checker Tools (ICT) te gebruiken op betreffende apparatuur, de interne integrity check tool zou echter mogelijk door malafide handelingen niet correct werken. Het NCSC adviseert om de meest recente versies van de Integrity Checker Tools (ICT) in te zetten om mogelijk misbruik te kunnen detecteren. Op dit moment is dat versie ICT-V22725 (build 3819). In de aanval zouden mogelijk meerdere persistence technieken zijn toegepast, een daarvan is het blokkeren van een legitieme patch en in plaats daarvan een schijn patch op het scherm weer te geven als het systeem gepatched wordt. Dit zou betekenen dat de update die zou zijn uitgevoerd niet correct is en mogelijk zou een kwaadwillende nog steeds toegang hebben tot het apparaat. Ook adviseert Ivanti om bij onderkenning van eerder misbruik betreffende apparatuur te factory resetten en de versie terug te zetten naar 22.7R2.5. Het is belangrijk dat bij tekenen van misbruik credentials en API tokens worden geroteerd, deze zouden mogelijk gestolen kunnen zijn.

Oplossingen: Ivanti heeft patches uitgebracht om de kwetsbaarheid te verhelpen in Connect Secure versie 22.7R2.5. Gebruikers van Connect Secure worden daarnaast door Ivanti dringend geadviseerd om de integriteit van het systeem met de interne en externe Integrity Checker Tools (ICT) te onderzoeken. Hiermee kunnen mogelijke antiforensische handelingen worden gedetecteerd. Voor Policy Secure zal naar verwachting op 21 januari een patch beschikbaar komen. Dit product hoort echter normaliter niet via het internet bereikbaar te zijn en er is dan ook geen actief misbruik van de kwetsbaarheden in Policy Secure bekend. Google TI heeft een blog geschreven over het misbruik met meerdere indicators of compromise (IoC's) welke kunnen ondersteunen bij onderzoek. Zie bijgevoegde referenties voor meer informatie.

Kans: high

Schade: high

CWE-121: Stack-based Buffer Overflow

CVE-2025-0282

9.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
connect_secure ivanti	`cpe:2.3:a:ivanti:connect_secure::::::::`	—
policy_secure ivanti	`cpe:2.3:a:ivanti:policy_secure::::::::`	—

CVE-2025-0283

7.0 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
connect_secure ivanti	`cpe:2.3:a:ivanti:connect_secure::::::::`	—
policy_secure ivanti	`cpe:2.3:a:ivanti:policy_secure::::::::`	—

References

4 references

URL	Category
https://forums.ivanti.com/s/article/Security-Advi…	external
https://cloud.google.com/blog/topics/threat-intel…	external
https://api.ncsc.nl/velma/v1/vulnerabilities/2025…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2025…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Ivanti heeft kwetsbaarheden verholpen in Connect Secure en Policy Secure.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De eerste kwetsbaarheid (CVE-2025-0282) kan door kwaadwillenden misbruikt worden om zonder authenticatie op afstand willekeurige code uit te voeren. De tweede kwetsbaarheid (CVE-2025-0283) kan door een lokaal geauthenticeerde kwaadwillende misbruikt worden om de rechten te verhogen.\n\nIvanti geeft aan dat CVE-2025-0282 actief misbruikt word bij gebruikers van Connect Secure. Er is Proof-of-Concept-code beschikbaar.\n\nIvanti adviseert om de interne en externe Integrity Checker Tools (ICT) te gebruiken op betreffende apparatuur, de interne integrity check tool zou echter mogelijk door malafide handelingen niet correct werken. Het NCSC adviseert om de meest recente versies van de Integrity Checker Tools (ICT) in te zetten om mogelijk misbruik te kunnen detecteren. Op dit moment is dat versie ICT-V22725 (build 3819).\n\nIn de aanval zouden mogelijk meerdere persistence technieken zijn toegepast, een daarvan is het blokkeren van een legitieme patch en in plaats daarvan een schijn patch op het scherm weer te geven als het systeem gepatched wordt. Dit zou betekenen dat de update die zou zijn uitgevoerd niet correct is en mogelijk zou een kwaadwillende nog steeds toegang hebben tot het apparaat. Ook adviseert Ivanti om bij onderkenning van eerder misbruik betreffende apparatuur te factory resetten en de versie terug te zetten naar 22.7R2.5. Het is belangrijk dat bij tekenen van misbruik credentials en API tokens worden geroteerd, deze zouden mogelijk gestolen kunnen zijn.\n",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Ivanti heeft patches uitgebracht om de kwetsbaarheid te verhelpen in Connect Secure versie 22.7R2.5. Gebruikers van Connect Secure worden daarnaast door Ivanti dringend geadviseerd om de integriteit van het systeem met de interne en externe Integrity Checker Tools (ICT) te onderzoeken. Hiermee kunnen mogelijke antiforensische handelingen worden gedetecteerd.\n\nVoor Policy Secure zal naar verwachting op 21 januari een patch beschikbaar komen. Dit product hoort echter normaliter niet via het internet bereikbaar te zijn en er is dan ook geen actief misbruik van de kwetsbaarheden in Policy Secure bekend.\n\nGoogle TI heeft een blog geschreven over het misbruik met meerdere indicators of compromise (IoC\u0027s) welke kunnen ondersteunen bij onderzoek. \n\nZie bijgevoegde referenties voor meer informatie.\n",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Stack-based Buffer Overflow",
        "title": "CWE-121"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US"
      },
      {
        "category": "external",
        "summary": "Reference - ncscclear",
        "url": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Ivanti Connect Secure en Policy Secure",
    "tracking": {
      "current_release_date": "2025-01-17T08:54:45.356129Z",
      "id": "NCSC-2025-0005",
      "initial_release_date": "2025-01-08T18:55:33.983262Z",
      "revision_history": [
        {
          "date": "2025-01-08T18:55:33.983262Z",
          "number": "0",
          "summary": "Initiele versie"
        },
        {
          "date": "2025-01-09T13:42:48.428306Z",
          "number": "1",
          "summary": "Ivanti adviseert om de interne en externe Integrity Checker Tools (ICT) te gebruiken op betreffende apparatuur, de interne integrity check tool zou echter mogelijk door malafide handelingen niet correct werken. Uit open bronnen blijkt dat er antiforensische methoden zouden zijn toegepast welke, bij eerder misbruik, niet enkel met een patch zouden kunnen worden opgelost. "
        },
        {
          "date": "2025-01-09T13:49:52.970276Z",
          "number": "2",
          "summary": "Het NCSC adviseert ook de Integrity Checker Tools (ICT) in te zetten om mogelijk misbruik te kunnen detecteren, deze is alleen beschibaar voor versie 22.7R2.5.*"
        },
        {
          "date": "2025-01-09T14:05:53.160955Z",
          "number": "3",
          "summary": "Ivanti adviseert om de Integrity Checker Tools (ICT) te gebruiken. Zie de Ivanti advisory voor meer informatie. "
        },
        {
          "date": "2025-01-13T10:27:48.197389Z",
          "number": "4",
          "summary": "Ivanti heeft versie ICT-V22725 (build 3819) van de external Integrity Checker Tool beschikbaar gesteld. Deze versie is in tegenstelling\ntot de vorige versie toepasbaar op alle R2-versies van 22.X. Voor meer informatie zie het beveiligingsadvies van Ivanti."
        },
        {
          "date": "2025-01-17T08:54:45.356129Z",
          "number": "5",
          "summary": "Onderzoekers hebben Proof-of-Concept-code (PoC) gepubliceerd, waarmee de kwetsbaarheid met kenmerk CVE-2025-0282 kan worden aangetoond. Actief grootschalig misbruik wordt hiermee waarschijnlijker."
        }
      ],
      "status": "final",
      "version": "1.0.5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "connect_secure",
            "product": {
              "name": "connect_secure",
              "product_id": "CSAFPID-505697",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "policy_secure",
            "product": {
              "name": "policy_secure",
              "product_id": "CSAFPID-505693",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:ivanti:policy_secure:*:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "ivanti"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-0282",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "other",
          "text": "Stack-based Buffer Overflow",
          "title": "CWE-121"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-505697",
          "CSAFPID-505693"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-0282",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-0282.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-505697",
            "CSAFPID-505693"
          ]
        }
      ],
      "title": "CVE-2025-0282"
    },
    {
      "cve": "CVE-2025-0283",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "other",
          "text": "Stack-based Buffer Overflow",
          "title": "CWE-121"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-505697",
          "CSAFPID-505693"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-0283",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-0283.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-505697",
            "CSAFPID-505693"
          ]
        }
      ],
      "title": "CVE-2025-0283"
    }
  ]
}

WID-SEC-W-2025-0029

Vulnerability from csaf_certbund - Published: 2025-01-08 23:00 - Updated: 2025-01-08 23:00

Summary

Ivanti Connect Secure: Mehrere Schwachstellen ermöglichen Codeausführung und Privilegienerweiterung

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Connect Secure bietet TLS- und mobile VPN-Lösungen. Ivanti Policy Secure ist eine Network Access Control (NAC) Lösung.

Angriff: Ein entfernter anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Ivanti Connect Secure und Ivanti Policy Secure ausnutzen, um beliebigen Code auszuführen und erhöhte Rechte zu erlangen.

Betroffene Betriebssysteme: - Sonstiges

CVE-2025-0282

Es besteht eine Schwachstelle in Ivanti Connect Secure und Ivanti Policy Secure aufgrund eines stapelbasierten Pufferüberlaufproblems. Ein entfernter, anonymer Angreifer kann diese Schwachstelle zur Ausführung von beliebigem Code ausnutzen.

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Ivanti Connect Secure <22.7R2.5 Ivanti / Connect Secure		<22.7R2.5
Ivanti Policy Secure =<22.7R1.2 Ivanti / Policy Secure		=<22.7R1.2

CVE-2025-0283

Es besteht eine Schwachstelle in Ivanti Connect Secure und Ivanti Policy Secure aufgrund eines stapelbasierten Pufferüberlaufproblems. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um erweiterte Rechte zu erlangen.

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Ivanti Connect Secure <22.7R2.5 Ivanti / Connect Secure		<22.7R2.5
Ivanti Policy Secure =<22.7R1.2 Ivanti / Policy Secure		=<22.7R1.2

References

4 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://forums.ivanti.com/s/article/Security-Advi…	external
https://www.ivanti.com/blog/security-update-ivant…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Connect Secure bietet TLS- und mobile VPN-L\u00f6sungen.\r\nIvanti Policy Secure ist eine Network Access Control (NAC) L\u00f6sung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Ivanti Connect Secure und Ivanti Policy Secure ausnutzen, um beliebigen Code auszuf\u00fchren und erh\u00f6hte Rechte zu erlangen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0029 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0029.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0029 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0029"
      },
      {
        "category": "external",
        "summary": "Ivanti Security Advisory vom 2025-01-08",
        "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283"
      },
      {
        "category": "external",
        "summary": "Ivanti Blog vom 2025-01-08",
        "url": "https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways"
      }
    ],
    "source_lang": "en-US",
    "title": "Ivanti Connect Secure: Mehrere Schwachstellen erm\u00f6glichen Codeausf\u00fchrung und Privilegienerweiterung",
    "tracking": {
      "current_release_date": "2025-01-08T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-09T09:12:21.777+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2025-0029",
      "initial_release_date": "2025-01-08T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-08T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c22.7R2.5",
                "product": {
                  "name": "Ivanti Connect Secure \u003c22.7R2.5",
                  "product_id": "T040075"
                }
              },
              {
                "category": "product_version",
                "name": "22.7R2.5",
                "product": {
                  "name": "Ivanti Connect Secure 22.7R2.5",
                  "product_id": "T040075-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ivanti:connect_secure:22.7r2.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Connect Secure"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "=\u003c22.7R1.2",
                "product": {
                  "name": "Ivanti Policy Secure =\u003c22.7R1.2",
                  "product_id": "T040077"
                }
              },
              {
                "category": "product_version",
                "name": "=22.7R1.2",
                "product": {
                  "name": "Ivanti Policy Secure =22.7R1.2",
                  "product_id": "T040077-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ivanti:policy_secure:22.7r1.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Policy Secure"
          }
        ],
        "category": "vendor",
        "name": "Ivanti"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-0282",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Ivanti Connect Secure und Ivanti Policy Secure aufgrund eines stapelbasierten Puffer\u00fcberlaufproblems. Ein entfernter, anonymer Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040075",
          "T040077"
        ]
      },
      "release_date": "2025-01-08T23:00:00.000+00:00",
      "title": "CVE-2025-0282"
    },
    {
      "cve": "CVE-2025-0283",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Ivanti Connect Secure und Ivanti Policy Secure aufgrund eines stapelbasierten Puffer\u00fcberlaufproblems. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um erweiterte Rechte zu erlangen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040075",
          "T040077"
        ]
      },
      "release_date": "2025-01-08T23:00:00.000+00:00",
      "title": "CVE-2025-0283"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-0282 (GCVE-0-2025-0282)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

KEVintel KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Public Report Confirmed Compromise Confidence: 70% Source: kevintel

Details

References

Solutions

Solutions

Solutions

Solutions

Tags

Sightings

Nomenclature