The company reports no known active exploitation of these vulnerabilities at the time of public disclosure, with fixes deployed across cloud environments beginning August 2, 2025.
The security advisory reveals four distinct Common Vulnerabilities and Exposures (CVEs) affecting Ivanti’s secure access infrastructure.
CVE-2025-5456, scoring 7.5 on the Common Vulnerability.
Scoring System (CVSS), represents a buffer over-read vulnerability classified under CWE-125 that enables remote unauthenticated attackers to trigger denial of service conditions.
The vulnerability affects Ivanti Connect Secure versions before 22.7R2.8 or 22.8R2, along with Policy Secure, ZTA Gateway, and Neurons for Secure Access products.
Similarly critical is CVE-2025-5462, another high-severity flaw with a CVSS score of 7.5 involving a heap-based buffer overflow vulnerability.
This weakness, categorized under CWE-122 and CWE-476, allows remote unauthenticated attackers to cause denial of service attacks across the same product range.
The vulnerability’s attack vector requires no user interaction and can be exploited over the network with low attack complexity.
The advisory also identifies CVE-2025-5466, a medium-severity XML External Entity (XXE) vulnerability scoring 4.9 on CVSS.
This flaw, classified as CWE-776, requires administrative privileges but enables authenticated attackers to trigger denial of service conditions.
Additionally, CVE-2025-5468 presents improper symbolic link handling, allowing local authenticated attackers to read arbitrary files through CWE-61 exploitation patterns.
Ivanti has implemented a coordinated response across its product ecosystem, with specific version updates addressing each affected platform.
Connect Secure users must upgrade to version 22.7R2.8 or 22.8R2, while Policy Secure requires updating to 22.7R1.5. ZTA Gateway deployments need version 22.8R2.3-723, available through controller downloads since August 2, 2025.
For cloud-based Neurons for Secure Access customers, Ivanti automatically deployed fixes on August 2, requiring no additional customer action.
The company emphasizes following Security Configuration Best Practices, particularly restricting admin portal internet exposure to mitigate CVE-2025-5466 risks.
Notably, these vulnerabilities do not affect legacy Pulse Connect Secure 9.x versions, which reached end-of-support status on December 31, 2024, highlighting the importance of migrating to supported platforms for continued security updates.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Ivanti Flaws in Connect Secure, Policy Secure, and ZTA Allow DoS Exploits appeared first on Cyber Security News.
For the first time this year, Sonos' flagship Arc Ultra soundbar is showing up in…
The Lenovo Legion Glasses 2 was released back in February 20225 at a starting price…
Philadelphia, United States / Pennsylvania, April 14th, 2026, CyberNewswire GIAC and ISC2 now recognize active participation in SRA Purple…
Fortinet released a sweeping batch of security advisories on April 14, 2026, addressing 11 vulnerabilities…
Microsoft has released its April 2026 Patch Tuesday security update, addressing 168 vulnerabilities across its…
INDIANAPOLIS, Ind. (WOWO) — An 18-year-old from Fishers was sentenced to prison on Tuesday for…
This website uses cookies.