The company reports no known active exploitation of these vulnerabilities at the time of public disclosure, with fixes deployed across cloud environments beginning August 2, 2025.
The security advisory reveals
CVE-2025-5456, scoring 7.5 on the Common Vulnerability.
Scoring System (CVSS), represents a buffer over-read vulnerability classified under CWE-125 that enables remote unauthenticated attackers to trigger denial of service conditions.
The vulnerability affects Ivanti Connect Secure versions before 22.7R2.8 or 22.8R2, along with Policy Secure, ZTA Gateway, and Neurons for Secure Access products.
Similarly critical is CVE-2025-5462, another high-severity flaw with a CVSS score of 7.5 involving a heap-based buffer overflow vulnerability.
This weakness, categorized under CWE-122 and CWE-476, allows remote unauthenticated attackers to cause denial of service attacks across the same product range.
The vulnerability’s attack vector requires no user interaction and can be exploited over the network with low attack complexity.
The advisory also identifies CVE-2025-5466, a medium-severity XML External Entity (XXE) vulnerability scoring 4.9 on CVSS.
This flaw, classified as CWE-776, requires administrative privileges but enables authenticated attackers to trigger denial of service conditions.
Additionally, CVE-2025-5468 presents improper symbolic link handling, allowing local authenticated attackers to read arbitrary files through CWE-61 exploitation patterns.
Ivanti has implemented a coordinated response across its product ecosystem, with specific version updates addressing each affected platform.
Connect Secure users must upgrade to version 22.7R2.8 or 22.8R2, while Policy Secure requires updating to 22.7R1.5. ZTA Gateway deployments need version 22.8R2.3-723, available through controller downloads since August 2, 2025.
For cloud-based Neurons for Secure Access customers, Ivanti automatically deployed fixes on August 2, requiring no additional customer action.
The company emphasizes following Security Configuration Best Practices, particularly restricting admin portal internet exposure to mitigate CVE-2025-5466 risks.
Notably, these vulnerabilities do not affect legacy Pulse Connect Secure 9.x versions, which reached end-of-support status on December 31, 2024, highlighting the importance of migrating to supported platforms for continued security updates.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Ivanti Flaws in Connect Secure, Policy Secure, and ZTA Allow DoS Exploits appeared first on Cyber Security News.
The rumored "HomePod with a screen" we've heard so much about was reportedly lined up…
Department of Homeland Security. | Image: The Verge Chaos reigned at airports across the country…
If you're in the market for the biggest and baddest mobile desktop replacement at a…
Today’s movie-focused Nintendo Direct has delivered the final trailer for The Super Mario Galaxy Movie…
Full spoilers follow for Primal Season 3, Episode 9, “The Hollow Crown,” which is available…
Jason Hernandez, known as ZumbaJason, is a fitness professional, entrepreneur, and community leader in Abilene,…
This website uses cookies.