These updates address multiple medium-severity vulnerabilities that could potentially compromise system security. As of the disclosure date, Ivanti has confirmed that no customers have exploited these vulnerabilities.
The security flaws, identified across various components of ICS and IPS, range in severity with CVSS scores between 4.9 and 6.6. Below is a detailed breakdown of the vulnerabilities patched in the latest release:
| CVE Number | Description | CVSS Score | CWE |
|---|---|---|---|
| CVE-2025-5450 | Improper access control in certificate management allows read-only admins to modify restricted settings. | 6.3 (Medium) | CWE-602 |
| CVE-2025-5451 | Stack-based buffer overflow leading to denial of service by authenticated admins. | 4.9 (Medium) | CWE-121 |
| CVE-2025-5463 | Insertion of sensitive information into log files, accessible by local authenticated attackers. | 5.5 (Medium) | CWE-532 |
| CVE-2025-5464 | Similar log file insertion issue in ICS, with broader scope impact. | 6.5 (Medium) | CWE-532 |
| CVE-2025-0293 | CRLF injection allowing authenticated admins to write to protected configuration files. | 6.6 (Medium) | CWE-93 |
| CVE-2025-0292 | Server-Side Request Forgery (SSRF) enabling access to internal network services by admins. | 5.5 (Medium) | CWE-918 |
These vulnerabilities affect versions prior to 22.7R2.8 for Ivanti Connect Secure and 22.7R1.5 for Ivanti Policy Secure. The issues were either discovered internally or reported through Ivanti’s responsible disclosure program.
Ivanti has urged users to update to the latest versions to mitigate risks. The affected and resolved versions are as follows:
| Product Name | Affected Version(s) | Resolved Version | Patch Availability |
|---|---|---|---|
| Ivanti Connect Secure (ICS) | 22.7R2.7 and prior | 22.7R2.8 | Download Portal |
| Ivanti Policy Secure (IPS) | 22.7R1.4 and prior | 22.7R1.5 | Download Portal |
Users can access the patches through Ivanti’s download portal, which requires login credentials for security purposes.
Ivanti has emphasized that there is no evidence of active exploitation of these vulnerabilities at the time of public disclosure. For customers concerned about potential compromise, Ivanti notes that no specific indicators of compromise are currently available due to the lack of known public exploits.
For additional support, Ivanti directs users to the Success Portal, where they can log cases or request assistance. Importantly, cloud-based solutions such as Ivanti Neurons for ZTA and Ivanti Neurons for Secure Access are not affected by these vulnerabilities.
Additionally, Ivanti has clarified that no fixes will be backported to the older 9.x versions of Pulse Connect Secure, which reached end-of-support on December 31, 2024. Customers on these versions are strongly advised to upgrade to the latest ICS releases to benefit from ongoing security enhancements.
This security update underscores the critical need for organizations to maintain up-to-date software to safeguard against evolving cyber threats. While the medium-severity rating of these vulnerabilities suggests a moderate risk, the potential for unauthorized access, data exposure, and service disruptions cannot be ignored.
Ivanti’s proactive approach in addressing these issues internally and through responsible disclosure sets a positive example for vendor accountability in cybersecurity.
Organizations using Ivanti Connect Secure and Policy Secure should prioritize deploying the latest patches to protect their networks and sensitive data. Staying ahead of potential exploits by adhering to recommended update cycles remains a cornerstone of robust IT security practices.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Ivanti Security Update: Patch for Multiple Vulnerabilities in Connect and Policy Secure appeared first on Cyber Security News.
It was a little after 1PM on Friday, February 28th, and Samantha Lujano was about…
Nvidia is offering its DRIVE Hyperion platform to automakers who want to enable a range…
Hideki Kamiya, the legendary director behind fan-favorite games like Devil May Cry and Bayonetta, is…
Save the World, Fortnite's original PVE survival mode, is finally going free-to-play after almost nine…
Ben Diskin, the lead voice actor in Mega Man 11, has said he will not…
The post NAB Show: QuickLink’s StudioEdge Models To Make North American Debut appeared first on…
This website uses cookies.