Skip to main content

Security Advisory Ivanti Connect Secure

ยท 4 min read
Ryan Achmad
Ryan Achmad
soc & sysadmin

Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)

Security Advisory: Ivanti Connect Secure, Policy Secure & ZTA Gateways

Advisory Date: January 8, 2025
Last Updated: January 13, 2025
CVE Identifiers:

  • CVE-2025-0282
  • CVE-2025-0283

Summaryโ€‹

This advisory highlights critical vulnerabilities discovered in Ivanti products, specifically Connect Secure, Policy Secure, and Zero Trust Access (ZTA) Gateways. These vulnerabilities could allow remote attackers to execute arbitrary code or bypass authentication, leading to unauthorized access.

Affected Versionsโ€‹

CVEProduct NameAffected Version(s)Affected CPE(s)Resolved Version(s)Patch Availability
CVE-2025-0282Ivanti Connect Secure22.7R2 through 22.7R2.4cpe:2.3๐Ÿ…ฐ๏ธivanti:connect_secure:22.7:R2.4::::..22.7R2.5Download Portal
CVE-2025-0283Ivanti Connect Secure22.7R2.4 and prior, 9.1R18.9 and priorcpe:2.3๐Ÿ…ฐ๏ธivanti:connect_secure:22.7:R2.4::::..22.7R2.5Download Portal
CVE-2025-0282Ivanti Policy Secure22.7R1 through 22.7R1.2cpe:2.3๐Ÿ…ฐ๏ธivanti:policy_secure:22.7:r1.2::::.*.Patch planned availabilityJanuary 21, 2025
CVE-2025-0283Ivanti Policy Secure22.7R1.2 and priorcpe:2.3๐Ÿ…ฐ๏ธivanti:policy_secure:22.7:r1.2::::.*.Patch planned availabilityJanuary 21, 2025
CVE-2025-0282Ivanti Neurons for ZTA Gateways22.7R2 through 22.7R2.3N/A22.7R2.5Patch planned availability: January 21, 2025
CVE-2025-0283Ivanti Neurons for ZTA Gateways22.7R2.3 and priorN/A22.7R2.5Patch planned availability: January 21, 2025

Solutionโ€‹

Ivanti Connect Secureโ€‹

  1. Clean ICT Scan:

    • Upgrade to Ivanti Connect Secure 22.7R2.5.
    • Closely monitor internal and external ICT in conjunction with other security tools.
    • A factory reset is recommended before deploying version 22.7R2.5 in production for additional assurance.

  2. Compromised ICT Result:

    • Perform a factory reset to remove any potential malware.
    • Deploy version 22.7R2.5 and continue monitoring ICT results and network traffic.

Ivanti Policy Secureโ€‹

  • Ivanti Policy Secure is generally not intended to be internet-facing, which reduces the risk of exploitation.
  • A fix is scheduled for release on January 21, 2025, and will be available on the Download Portal.
  • Ensure that IPS appliances are configured following Ivanti's guidelines and are not exposed to the internet.

Ivanti Neurons for ZTA Gatewaysโ€‹

  • The ZTA gateways are not exploitable in production environments.
  • Exploitation risk arises only if a gateway is generated and left unconnected to a ZTA controller.
  • A patch is planned for release on January 21, 2025.

Important Note: Integrity Checker Tool Updateโ€‹

As of January 10, 2025, Ivanti released a new version of the Integrity Checker Tool (ICT) โ€” version ICT-V22725 (build 3819) โ€” compatible with all R2 versions of 22.X. This version resolves limitations found in the previous tool.

Frequently Asked Questions (FAQ)โ€‹

1. Are there any active exploitations of these vulnerabilities?โ€‹

Yes, a limited number of customers have been affected by CVE-2025-0282.

2. How can I detect if my system has been compromised?โ€‹

Exploitation can be detected using the Integrity Checker Tool (ICT). Customers should continuously monitor ICT results alongside other monitoring solutions. If suspicious activity is detected, contact Ivanti Support.

Note: ICT results are a snapshot and may not detect activity if threat actors have reverted the appliance to a clean state.

3. Are these CVEs being chained in an exploit?โ€‹

No, there is no indication that CVE-2025-0283 is being exploited or chained with CVE-2025-0282. The patch includes fixes for both vulnerabilities as a precaution.

4. How can I get help?โ€‹

If you need further assistance, open a ticket or request a call via the Ivanti Success Portal.

5. What versions are impacted?โ€‹

Refer to the Affected Versions section above for details. Note that the 9.x line of code reached End of Life on December 31, 2024, and will not receive patches for CVE-2025-0283.

6. How should we handle snapshots containing multiple files?โ€‹

Refer to the updated guide on interpreting ICT output. If further analysis is needed, contact Ivanti Support through the Success Portal.

7. Are there any additional Indicators of Compromise (IoCs)?โ€‹

Customers can refer to Mandiant's blog for detailed findings related to the coordinated investigation.

Acknowledgementsโ€‹

Ivanti would like to thank its customers, partners, and the broader security community for their collaboration and support. Special thanks to Mandiant and MSTIC for assisting in the detection and response efforts.

We are committed to maintaining the highest security standards and encourage responsible disclosure of vulnerabilities. For more information, visit our Vulnerability Disclosure Policy.