IT software provider Ivanti released patches Wednesday for its Connect Secure SSL VPN appliances to address two memory corruption vulnerabilities, one of which has already been exploited in the wild as a zero-day to compromise devices.
The exploited vulnerability, tracked as CVE-2025-0282, is a stack-based buffer overflow rated as critical with a CVSS score of 9.0. The flaw can be exploited without authentication to achieve remote code execution and impacts Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways.
The second vulnerability, CVE-2025-0283, is also a stack-based buffer overflow impacting the same products but requires authentication to exploit and can only lead to privilege escalation. It’s rated as high severity with a CVSS score of 7.0.
