CVE-2025-0282
CVE-2025-0282 is a critical-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 9.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-01-08). The underlying weakness is classified as CWE-787.
Key facts
- Severity: Critical (CVSS 3.x base score 9.0)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-01-08)
- EU (EUVD) id: EUVD-2025-1580
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-01-08)
- Weakness: CWE-787
- Affected product: Ivanti Connect Secure
- Published:
- Last modified:
Description
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2025-0282: Ivanti Connect Secure Stack-Based Buffer Overflow Enables Critical Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2025-0282 |
| Published | 2025-01-08 |
| Severity | CVSS 3.1: 9.0 (Critical) |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-787 — Out-of-bounds Write |
| EPSS | 0.99971 (99.98th percentile) |
| CISA KEV | Listed (2025-01-08) |
| EU Exploited | Yes (EUVD-2025-1580) |
| Affected | Ivanti Connect Secure < 22.7R2.5, Policy Secure < 22.7R1.2, Neurons for ZTA < 22.7R2.3 |
Summary
CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. A remote unauthenticated attacker can exploit this vulnerability to achieve remote code execution. The vulnerability carries a CVSS 3.1 score of 9.0 (Critical) and has been actively exploited in the wild, as confirmed by both CISA's Known Exploited Vulnerabilities catalog and the EU's EUVD-2025-1580 entry.
Background
Ivanti Connect Secure (formerly Pulse Secure) is a widely deployed SSL VPN appliance used by enterprises and government agencies to provide secure remote access. Ivanti Policy Secure provides network access control, and Ivanti Neurons for Zero Trust Access (ZTA) extends these capabilities to cloud-native gateways. Due to their position at the network perimeter, these appliances are high-value targets for nation-state and ransomware actors.
Root Cause
CWE-787: Out-of-bounds Write (Stack-Based Buffer Overflow)
The vulnerability stems from a stack-based buffer overflow condition in the affected appliances. Buffer overflows occur when a program writes data beyond the allocated boundaries of a fixed-length buffer on the stack. In this case, insufficient input validation on network-facing request handling allows an attacker to overwrite adjacent memory, including saved return addresses and control structures. By carefully crafting input, an attacker can redirect execution to attacker-controlled code, leading to remote code execution without requiring authentication. The high attack complexity (AC:H) suggests the exploit requires a degree of precision, but the absence of required privileges or user interaction makes it achievable by any network-facing adversary.
Impact
The CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H describes the impact:
- Attack Vector (Network): The vulnerability is exploitable over the network with no local access required.
- Privileges Required (None): No authentication is necessary.
- User Interaction (None): No user action is needed.
- Scope (Changed): A compromised component can impact resources beyond its own security scope.
- Confidentiality, Integrity, Availability (High): Successful exploitation grants full read/write access to the system and can disrupt service availability.
Given the EPSS score of 0.99971 (99.98th percentile), the probability of exploitation in the wild is statistically near-certain. This aligns with confirmed in-the-wild exploitation reported by CISA and the EU vulnerability disclosure program.
Exploitation Walkthrough
Ethics Notice: This section describes the defensive understanding of exploitation techniques at a high level. No working exploit code or step-by-step attack instructions are provided. Security researchers and defenders should use this knowledge to build detection and hardening strategies.
Exploitation of this vulnerability typically follows a pattern where an attacker sends a malformed request to a vulnerable endpoint, causing an oversized write to a fixed stack buffer. The overwrite corrupts the return address or function pointer, diverting control flow. Once code execution is achieved, attackers have been observed deploying webshells, modifying authentication logic, and establishing persistent backdoors. The high attack complexity rating suggests the exploit may involve bypassing stack canaries, ASLR, or other mitigation mechanisms, but the vulnerability is nonetheless reliably exploitable as demonstrated by public proof-of-concept research and confirmed active exploitation.
Affected and Patched Versions
| Product | Affected Versions | Patched Version |
|---|---|---|
| Ivanti Connect Secure | 22.7R2, 22.7R2.1, 22.7R2.2, 22.7R2.3, 22.7R2.4 | 22.7R2.5 |
| Ivanti Policy Secure | 22.7R1, 22.7R1.1, 22.7R1.2 | 22.7R1.2* |
| Ivanti Neurons for ZTA | 22.7R2, 22.7R2.2, 22.7R2.3 | 22.7R2.3* |
Note: The API data indicates affected versions before specific patch releases; if the patch version itself is confirmed clean, verify with the vendor advisory.
Remediation
- Immediate Patching: Upgrade to the fixed versions as soon as possible. Ivanti has released patched firmware for all affected product lines.
- Compensating Controls: If immediate patching is not possible, restrict network access to the management and user portals to trusted IP ranges. Disable unnecessary external-facing interfaces.
- Post-Compromise Assessment: Given confirmed active exploitation, assume compromise if the appliance was internet-facing and unpatched during the exposure window. Ivanti and CISA provide compromise indicators and forensic guidance.
- Credential Rotation: Reset all VPN credentials, administrative passwords, and session tokens after patching.
Detection
- Monitor for anomalous requests to appliance endpoints, especially oversized or malformed payloads targeting authentication or session handling paths.
- Review logs for unexpected process crashes, stack traces, or service restarts on the appliance.
- Hunt for unauthorized webshells, modified configuration files, or unexpected outbound connections from the appliance.
- Leverage CISA's published mitigation instructions and IOCs for CVE-2025-0282.
- Consider using the WatchTowr exploitation walkthrough reference to understand behavioral indicators without weaponizing the knowledge.
Assessment
CVE-2025-0282 is a textbook example of why perimeter appliances remain a critical risk surface. The combination of a 9.0 CVSS score, EPSS near 1.0, and confirmed KEV/EUVD listing means this vulnerability demands immediate, unambiguous action. The high attack complexity rating is a cold comfort: adversaries have already demonstrated reliable exploitation.
Lessons:
- Perimeter appliances are not exempt from memory-safety defects. VPN and NAC gateways must undergo the same rigorous code review and fuzzing as other critical software.
- Confirmed exploitation should override CVSS nuance. Even with AC:H, a KEV listing and EPSS > 0.99 should trigger emergency patching protocols.
References
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283
- https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
- https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282
- https://github.com/sfewer-r7/CVE-2025-0282
- https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282
Frequently asked questions
- What is CVE-2025-0282?
- A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
- How severe is CVE-2025-0282?
- CVE-2025-0282 has a CVSS 3.x base score of 9.0, rated critical severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-0282 being actively exploited?
- Yes. CVE-2025-0282 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-01-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-0282?
- CVE-2025-0282 primarily affects Ivanti Connect Secure. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-0282?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-0282 have an EU (EUVD) identifier?
- Yes. CVE-2025-0282 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-1580. It is also flagged as exploited in the EUVD (since 2025-01-08).
- When was CVE-2025-0282 published?
- CVE-2025-0282 was published on 2025-01-08 and last updated on 2026-06-17.
References
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283
- https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
- https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282
- https://github.com/sfewer-r7/CVE-2025-0282
- https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282
Affected products (11)
- cpe:2.3:a:ivanti:connect_secure:22.7:r2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:22.7:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:22.7:r1.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*:*:*
More vulnerabilities in Ivanti Connect Secure
- CVE-2021-22893 — Critical (CVSS 10.0): Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the…
- CVE-2019-11510 — Critical (CVSS 10.0): In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an…
- CVE-2016-4787 — Critical (CVSS 10.0): Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote…
- CVE-2025-22467 — Critical (CVSS 9.9): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker…
- CVE-2024-21894 — Critical (CVSS 9.8): A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows…
- CVE-2018-20813 — Critical (CVSS 9.8): An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2.
All CVEs affecting Ivanti Connect Secure →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…