Analysis Summary

Ivanti has issued critical security updates for its Connect Secure, Policy Secure, and Zero Trust Access (ZTA) gateway products, addressing four vulnerabilities identified through internal security assessments and responsible disclosure programs. Two of these flaws CVE-2025-5456 (buffer over-read) and CVE-2025-5462 (heap-based buffer overflow) are classified as high severity (CVSS high) and can be exploited remotely without authentication to cause denial-of-service (DoS) conditions. Both impact multiple Ivanti products, including Connect Secure versions prior to 22.7R2.8 or 22.8R2, Policy Secure before 22.7R1.5, ZTA Gateway before 2.8R2.3-723, and Neurons for Secure Access before 22.8R1.4. These network-based attacks are low in complexity yet have a high availability impact, making them a significant threat if left unpatched.

In addition to the high-severity issues, two medium-severity vulnerabilities were disclosed CVE-2025-5466, an XML External Entity (XXE) vulnerability (CVSS medium) requiring administrative privileges, and CVE-2025-5468, an improper symbolic link handling flaw (CVSS medium) that could lead to local file disclosure. While these require more specific conditions to exploit, they still pose a security risk, especially in environments where administrative portals are exposed to the internet. Importantly, Ivanti confirmed there has been no evidence of active exploitation for any of the vulnerabilities prior to disclosure.

Patches are now available across all supported product lines. Ivanti Connect Secure users should upgrade to version 22.7R2.8 or 22.8R2, while Policy Secure customers must update to version 22.7R1.5. ZTA Gateway administrators can apply the patched 22.8R2.3-723 build via the controller interface, and Neurons for Secure Access cloud environments have already been updated automatically by Ivanti as of August 2, 2025. For on-premise deployments, updates must be performed manually. Customers running Pulse Connect Secure 9.x face heightened risk, as the product is no longer supported and will not receive security patches.

Ivanti strongly advises immediate patching, particularly for internet-facing administrative portals that could serve as entry points for remote attackers. The vulnerabilities, if left unaddressed, could be leveraged to disrupt critical network access services, impacting business continuity. By addressing these issues promptly, organizations can significantly reduce their exposure to DoS attacks, memory corruption exploits, and sensitive file disclosures. The company’s proactive detection and disclosure highlight the importance of continuous security monitoring, even in the absence of active threat activity.

Impact

• Buffer Overflow
• Gain Access
• Denial of Service

Indicators of Compromise

CVE

• CVE-2025-5456

• CVE-2025-5462

• CVE-2025-5466

• CVE-2025-5468

Affected Vendors

Remediation

• Refer to the Ivanti Security Advisory for patch, upgrade, or suggested workaround information.
• Ensure Neurons for Secure Access cloud instances are running 22.8R1.4 or later (already patched by Ivanti for cloud customers).
• Immediately patch internet-facing administrative portals to reduce attack exposure.
• Decommission or replace Pulse Connect Secure 9.x deployments, as they are end-of-life and no longer receive security updates.
• Conduct internal security reviews to detect any signs of attempted exploitation.
• Restrict administrative access to trusted networks only.