Cyber Resilience

CVE-2025-0282

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 08 January 2025

Published
08 January 2025
Modified
24 October 2025
KEV Added
08 January 2025
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9413 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0282 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A stack-based buffer overflow vulnerability, also referenced under CWE-121 and CWE-787, affects Ivanti Connect Secure prior to version 22.7R2.5, Ivanti Policy Secure prior to 22.7R1.2, and Ivanti Neurons for ZTA gateways prior to 22.7R2.3. The flaw carries a CVSS 3.1 score of 9.0 and permits remote code execution when successfully triggered.

An unauthenticated remote attacker can exploit the issue over the network by sending crafted input that overflows the stack buffer, leading to arbitrary code execution with high impact on confidentiality, integrity, and availability. The attack complexity is rated high and requires no user interaction or privileges, though the scope change indicates potential impact beyond the vulnerable component.

Ivanti’s security advisory directs customers to upgrade to the fixed releases listed above, while CISA has published mitigation instructions for organizations unable to patch immediately. Public references include a Google threat intelligence report on observed activity, a CISA advisory page, and technical walkthroughs with proof-of-concept code.

The associated EPSS score has reached a peak of 0.9418 with a current value of 0.9413, indicating sustained and substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

CWE(s)
KEV Date Added
08 January 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated RCE on public-facing Ivanti VPN/gateway appliance maps to exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0283Same product: Ivanti Connect Secure
CVE-2024-10644Same product: Ivanti Connect Secure
CVE-2025-55147Same product: Ivanti Connect Secure
CVE-2025-22467Same product: Ivanti Connect Secure
CVE-2025-55145Same product: Ivanti Connect Secure
CVE-2025-55141Same product: Ivanti Connect Secure
CVE-2025-55142Same product: Ivanti Connect Secure
CVE-2026-1340Same vendor: Ivantiboth on KEV
CVE-2026-3055Same product class: VPN / SSL gatewayboth on KEV
CVE-2024-55591Same product class: VPN / SSL gatewayboth on KEV

Affected Assets

ivanti
connect secure
22.7
ivanti
neurons for zero-trust access
22.7
ivanti
policy secure
22.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws such as this stack-based buffer overflow through vendor patches.

prevent

Implements memory protection mechanisms like stack canaries, ASLR, and DEP to block exploitation of stack-based buffer overflows leading to RCE.

prevent

Mandates validation of information inputs for length and format to mitigate buffer overflows from crafted unauthenticated remote payloads.

References