CVE-2025-0282: Remote Code Execution in Ivanti Connect Secure via Buffer Overflow

ISGroup Cybersecurity

A critical vulnerability has been discovered in several Ivanti products, allowing for remote code execution via a stack-based buffer overflow in the IF-T/TLS implementation. This vulnerability is currently being actively exploited, with over 19,413 instances of vulnerable systems exposed on the internet. Multiple proof-of-concept exploits are publicly available, making this vulnerability a serious and immediate security threat.

ProductIvanti Connect Secure
Date2025-01-17 10:22:11
Information
  • Fix Available
  • Active Exploitation

Technical Summary

The vulnerability resides in the IF-T/TLS implementation of the affected Ivanti products. An unauthenticated attacker can cause a stack-based buffer overflow by sending specially crafted network packets during the IF-T/TLS negotiation process. This overflow can be exploited to achieve remote code execution on the target system with the privileges of the running service.

Affected products and versions:

  • Ivanti Connect Secure < 22.7R2.5
  • Ivanti Policy Secure < 22.7R1.2
  • Ivanti Neurons for ZTA gateways < 22.7R2.3

Key points:

  • No authentication required for exploitation
  • Default configurations are affected
  • Can lead to full system compromise
  • Active exploitation observed in the wild
  • Multiple PoCs publicly available
  • Large number of vulnerable systems exposed

Recommendations

  • Immediately update affected systems to the following versions or later:
  • Ivanti Connect Secure: 22.7R2.5
  • Ivanti Policy Secure: 22.7R1.2
  • Ivanti Neurons for ZTA gateways: 22.7R2.3

[Callforaction-THREAT-Footer]