Ivanti has released critical security updates addressing multiple high and medium-severity vulnerabilities across its Connect Secure, Policy Secure, and Zero Trust Access (ZTA) gateway products.
The vulnerabilities, identified through internal discovery and responsible disclosure programs, could enable remote attackers to trigger denial-of-service (DoS) attacks without authentication, though no active exploitation has been detected at the time of disclosure.
Key Takeaways
1. Four vulnerabilities in Ivanti products enable remote DoS attacks without authentication.
2. Update Connect Secure, Policy Secure, and ZTA Gateway immediately.
3. On-premise deployments require manual updates.
Buffer Overflow and DoS Vulnerabilities Disclosed
The security advisory encompasses four distinct Common Vulnerabilities and Exposures (CVEs), with two classified as high-severity threats.
CVE-2025-5456, scoring 7.5 on the Common Vulnerability Scoring System (CVSS), represents a buffer over-read vulnerability (CWE-125) that allows remote unauthenticated attackers to trigger denial-of-service conditions.
The vulnerability affects Ivanti Connect Secure versions prior to 22.7R2.8 or 22.8R2, Policy Secure before 22.7R1.5, ZTA Gateway before 2.8R2.3-723, and Neurons for Secure Access before 22.8R1.4.
Similarly, CVE-2025-5462 presents a heap-based buffer overflow vulnerability (CWE-122, CWE-476) with identical CVSS scoring and impact potential.
This flaw enables remote unauthenticated attackers to exploit the same range of affected products, potentially causing service disruptions through memory corruption attacks.
Both vulnerabilities utilize the CVSS vector “CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,” indicating network-based attacks with low complexity and high availability impact.
Two additional medium-severity vulnerabilities includes CVE-2025-5466, an XML External Entity (XXE) vulnerability (CWE-776) requiring administrative privileges, and CVE-2025-5468, involving improper symbolic link handling (CWE-61) that could enable local file disclosure.
| CVE | Title | CVSS 3.0 | Severity |
| CVE-2025-5456 | Buffer Over-read Vulnerability | 7.5 | High |
| CVE-2025-5462 | Heap-based Buffer Overflow | 7.5 | High |
| CVE-2025-5466 | XML External Entity (XXE) | 4.9 | Medium |
| CVE-2025-5468 | Improper Symbolic Link Handling | 5.5 | Medium |
Patch Availability
Ivanti Connect Secure users must upgrade to version 22.7R2.8 or 22.8R2, available through the standard download portal at portal.ivanti.com.
Policy Secure deployments require updating to version 22.7R1.5 through the same distribution channel.
ZTA Gateway administrators can access the patched version 22.8R2.3-723 directly through their controller interface, with availability beginning August 2, 2025.
For Neurons for Secure Access cloud customers, Ivanti proactively deployed fixes to cloud environments on August 2, 2025, eliminating the need for customer intervention.
Ivanti emphasizes that no customer exploitation has been observed prior to public disclosure, with vulnerabilities discovered through internal security assessments and responsible disclosure programs.
The Pulse Connect Secure 9.x users face additional security exposure, as this product version reached end-of-support December 31, 2024, and no longer receives security backports.
The company strongly recommends immediate patch deployment, particularly for internet-facing administrative portals that could amplify attack vectors.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
