Overview
A stack-based buffer overflow vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways allows remote unauthenticated attackers to execute arbitrary code by sending crafted requests. The vulnerability is caused by improper input handling in the affected products. The vulnerability was disclosed on January 8, 2025. CISA has identified CVE-2025-0282 as being exploited and is known to be used in ransomware campaigns.
Technical details
The vulnerability exists in the input validation mechanism of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateway products. The affected components fail to properly validate and sanitize incoming request data, allowing for a stack-based buffer overflow condition. By crafting malicious requests with oversized or specially formatted payloads, remote attackers can overwrite stack memory, potentially corrupting return addresses and allowing execution of arbitrary code with the privileges of the affected service.
The vulnerability is classified as CWE-674 (Uncontrolled Recursion) , CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) andCWE-121 (Stack-based Buffer Overflow) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on affected Ivanti gateways. This could lead to complete compromise of the VPN/gateway infrastructure, including unauthorized access to protected networks, theft of sensitive data, denial of service, and potential lateral movement to internal network resources. Given that these products typically serve as critical network perimeter devices, compromise could have enterprise-wide security implications.
Mitigation and workarounds
Apply the latest security patches from Ivanti immediately. Visit Ivanti's security portal at https://www.ivanti.com/en/solutions/secure-workforce/secure-connectivity to download and apply the fixed versions. For Connect Secure, upgrade to 22.7R2.5 or later. For Policy Secure, upgrade to 22.7R1.2 or later. For Neurons for ZTA, upgrade to 22.7R2.3 or later. Ivanti recommends prioritizing this patch due to the critical nature and remote unauthenticated attack vector. The following versions include the necessary fixes: Ivanti Connect Secure 22.7R2.5 or later, Ivanti Policy Secure 22.7R1.2 or later, Ivanti Neurons for ZTA gateways 22.7R2.3 or later.
As temporary workarounds: implement strict network access controls to limit access to ivanti gateway management and service ports. restrict inbound connections to only authorized ip addresses and networks using firewall rules or network segmentation.; deploy web application firewall (waf) or intrusion prevention system (ips) rules to detect and block malformed requests targeting known vulnerable endpoints. monitor for suspicious request patterns., and implement a reverse proxy or load balancer in front of ivanti gateways to validate and sanitize incoming requests. disable unnecessary services and protocols..
CISA's recommendation: Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Additional resources
Source: This report was generated using AI
