IT software provider Ivanti released patches Wednesday to its Connect Secure SSL VPN services to address two memory corruption flaws, one of which has already been exploited in the wild as a zero-day device compromise.
The exploited vulnerability, tracked as CVE-2025-0282, is a stack-based buffer overflow that is rated critical with a CVSS score of 9.0. The flaw can be used without authentication to achieve remote code execution and affect Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons on ZTA gateways.
The second vulnerability, CVE-2025-0283, is also a stack-based overflow that affects similar products but requires authentication to exploit and can only lead to an escalation of privilege. It is rated as high severity with a CVSS score of 7.0.
Source link