Ivanti has released critical security updates addressing multiple vulnerabilities in its Connect Secure, Policy Secure, and ZTA Gateway products that could allow remote attackers to launch denial-of-service attacks.
The company disclosed four vulnerabilities on August 12, 2025, with CVSS scores ranging from medium to high severity, though no active exploitation has been detected at the time of disclosure.
The security advisory reveals four distinct vulnerabilities affecting Ivanti’s enterprise security infrastructure products.
CVE-2025-5456, scoring 7.5 on the CVSS scale, represents a buffer over-read vulnerability that allows remote unauthenticated attackers to trigger denial-of-service conditions across multiple product lines.
This critical flaw affects Ivanti Connect Secure versions prior to 22.7R2.8 or 22.8R2, Policy Secure before 22.7R1.5, ZTA Gateway before 2.8R2.3-723, and Neurons for Secure Access before 22.8R1.4.
Similarly severe is CVE-2025-5462, also scoring 7.5, which involves a heap-based buffer overflow vulnerability.
This flaw enables remote unauthenticated attackers to cause denial-of-service attacks against the same product versions, presenting significant risks to organizational network security infrastructure.
| CVE Number | Description | CVSS Score | CWE |
| CVE-2025-5456 | Buffer over-read vulnerability allowing remote DoS | 7.5 (High) | CWE-125 |
| CVE-2025-5462 | Heap-based buffer overflow enabling remote DoS | 7.5 (High) | CWE-122, CWE-476 |
| CVE-2025-5466 | XML External Entity (XXE) vulnerability | 4.9 (Medium) | CWE-776 |
| CVE-2025-5468 | Improper symbolic link handling | 5.5 (Medium) | CWE-61 |
Two medium-severity vulnerabilities complete the advisory. CVE-2025-5466 involves an XML External Entity (XXE) vulnerability with a CVSS score of 4.9, requiring administrative privileges for exploitation but still capable of causing denial-of-service attacks.
CVE-2025-5468, scoring 5.5, addresses improper handling of symbolic links that could allow local authenticated attackers to read arbitrary files on disk, potentially exposing sensitive system information.
Ivanti has released patches for all affected products, with some fixes already deployed to cloud environments as of August 2, 2025.
Organizations using Connect Secure should upgrade to version 22.7R2.8 or 22.8R2, while Policy Secure users need version 22.7R1.5.
ZTA Gateway customers should install version 22.8R2.3-723, available through the controller interface.
The company emphasizes that no active exploitation has been detected, as these vulnerabilities were discovered through internal security assessments and responsible disclosure programs.
However, the severity of potential denial-of-service attacks makes immediate patching essential for maintaining organizational network security posture.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
