The BSI warns: There are critical vulnerabilities in Ivanti products Connect Secure (ICS), Policy Secure and ZTA Gateway. The manufacturer has published a corresponding security advisory. This includes a critical vulnerability with a CVSS score of 9.0 out of 10.
At the beginning of January 2025, the manufacturer Ivanti published an advisory on critical vulnerabilities in its products Ivanti Connect Secure (ICS), Policy Secure and ZTA Gateway. The security vulnerability CVE-2025-0282 is particularly serious, allowing an unauthenticated, remote attacker to execute arbitrary code on the affected systems. This vulnerability is classified as "critical" with a CVSS score of 9.0 and warns of a stack-based buffer overflow (CWE-121).
Affected Ivanti product versions
- Ivanti Connect Secure: Version 22.7R2 up to and including 22.7R2.4
- Ivanti Policy Secure: Version 22.7R1 up to and including 22.7R1.2
- Ivanti Neurons for ZTA Gateways: Version 22.7R2 up to and including 22.7R2.3
According to Ivanti, targeted attacks on a limited number of ICS customers have already been observed. The IT security company Mandiant reports the first compromises since mid-December 2024. In addition, the vulnerability CVE-2025-0283 with a CVSS score of 7.0 ("high") was identified, which could be exploited by a locally authenticated attacker to escalate privileges. However, there is no evidence of active exploitation of this second vulnerability so far.
BSI's situation assessment
The Federal Office for Information Security (BSI) also warns: VPN solutions such as Ivanti Connect Secure serve as central entry points into internal networks and are therefore often the target of cyber attacks. Although only isolated attacks have been detected so far, the severity of the CVE-2025-0282 vulnerability means that it can be expected to be exploited on a large scale in the short term. The attacks observed indicate a professional group of perpetrators who use sophisticated techniques to conceal their activities. The Federal Office for Information Security (BSI) therefore classifies the current IT threat situation as "business critical" (level 3 / orange).
The BSI calls on IT security managers to take the following steps immediately:
compromise check
Responsible parties should use the Integrity Checker Tool (ICT) provided by Ivanti to identify signs of exploitation of CVE-2025-0282. Reset appliances: Even if scan results are normal, Ivanti recommends preemptively resetting affected appliances to factory defaults to remove potential backdoors. Carefully monitor all internal and external systems for any abnormalities that could indicate a compromise.
Updating Ivanti Connect Secure to the hardened version 22.7R2.5, which fixes the critical vulnerability.
- According to Ivanti, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will be available starting January 21, 2025.
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.