Ivanti has released a critical security advisory addressing several medium-severity vulnerabilities in its flagship products, Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS).
The vulnerabilities, identified by multiple CVEs, affect versions of ICS before 22.7R2.8 and IPS before 22.7R1.5.
According to Ivanti, there is no evidence of active exploitation in the wild at the time of disclosure.
Administrators are strongly urged to update to the latest versions—ICS 22.7R2.8 and IPS 22.7R1.5—available through the official Ivanti download portal.
The fixes are not backported to legacy 9.x versions, which have reached end-of-support as of December 31, 2024.
Vulnerabilities and Impact
The advisory details six distinct vulnerabilities, each with unique technical characteristics and potential impact:
| CVE Number | Description | CVSS Score | CWE |
|---|---|---|---|
| CVE-2025-5450 | Improper access control in certificate management; allows read-only admins to modify restricted settings. | 6.3 | CWE-602 |
| CVE-2025-5451 | Stack-based buffer overflow; enables denial of service by remote authenticated admins. | 4.9 | CWE-121 |
| CVE-2025-5463 | Insertion of sensitive info into logs; local attackers may access confidential data. | 5.5 | CWE-532 |
| CVE-2025-5464 | Similar log file info leak, specific to ICS. | 6.5 | CWE-532 |
| CVE-2025-0293 | CLRF injection; allows remote admin to write to protected config files. | 6.6 | CWE-93 |
| CVE-2025-0292 | Server-Side Request Forgery (SSRF); remote admin can access internal network services. | 5.5 | CWE-918 |
Technical Terms Explained:
- CVE (Common Vulnerabilities and Exposures): Standardized identifier for publicly known cybersecurity vulnerabilities.
- CWE (Common Weakness Enumeration): Categorizes software weaknesses, such as CWE-121 (Stack-based Buffer Overflow).
- CVSS (Common Vulnerability Scoring System): Rates the severity of vulnerabilities; scores here range from 4.9 to 6.6 (medium).
Example of CVSS Vector (for CVE-2025-5450):
textCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
This indicates a network attack vector, low attack complexity, and limited impact on confidentiality, integrity, and availability.
Patch Guidance and Product Lifecycle
Affected Versions:
- Ivanti Connect Secure: 22.7R2.7 and prior
- Ivanti Policy Secure: 22.7R1.4 and prior
Resolved Versions:
- ICS: 22.7R2.8
- IPS: 22.7R1.5
Customers are strongly encouraged to upgrade to the latest supported versions to maintain protection against these vulnerabilities.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The vulnerabilities, identified by multiple CVEs, affect versions of ICS before 22.7R2.8 and IPS before 22.7R1.5. According to Ivanti,){kind=link}