CVE-2025-0282 CRITICAL

CVE-2025-0282

Vendor Ivanti
Product Connect Secure
Weakness CWE-121
KEV Status Known Exploited
Ransomware Used in campaigns
Published January 8, 2025
Last update October 21, 2025

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

CISA mandated remediation

02CISA Required Action

Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.

Key dates

03Disclosure timeline

January 8, 2025 CVE published
October 21, 2025 Record updated