CVE-2025-0283

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

Weakness

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Affected Software

Name	Vendor	Start Version	End Version
Connect_secure	Ivanti	*	9.1 (excluding)
Connect_secure	Ivanti	22.2 (including)	22.7 (excluding)
Connect_secure	Ivanti	9.1 (including)	9.1 (including)
Connect_secure	Ivanti	9.1-r1 (including)	9.1-r1 (including)
Connect_secure	Ivanti	9.1-r1.0 (including)	9.1-r1.0 (including)
Connect_secure	Ivanti	9.1-r10 (including)	9.1-r10 (including)
Connect_secure	Ivanti	9.1-r10.0 (including)	9.1-r10.0 (including)
Connect_secure	Ivanti	9.1-r10.2 (including)	9.1-r10.2 (including)
Connect_secure	Ivanti	9.1-r11 (including)	9.1-r11 (including)
Connect_secure	Ivanti	9.1-r11.0 (including)	9.1-r11.0 (including)
Connect_secure	Ivanti	9.1-r11.1 (including)	9.1-r11.1 (including)
Connect_secure	Ivanti	9.1-r11.3 (including)	9.1-r11.3 (including)
Connect_secure	Ivanti	9.1-r11.4 (including)	9.1-r11.4 (including)
Connect_secure	Ivanti	9.1-r11.5 (including)	9.1-r11.5 (including)
Connect_secure	Ivanti	9.1-r12 (including)	9.1-r12 (including)
Connect_secure	Ivanti	9.1-r12.1 (including)	9.1-r12.1 (including)
Connect_secure	Ivanti	9.1-r12.2 (including)	9.1-r12.2 (including)
Connect_secure	Ivanti	9.1-r13 (including)	9.1-r13 (including)
Connect_secure	Ivanti	9.1-r13.1 (including)	9.1-r13.1 (including)
Connect_secure	Ivanti	9.1-r14 (including)	9.1-r14 (including)
Connect_secure	Ivanti	9.1-r14.4 (including)	9.1-r14.4 (including)
Connect_secure	Ivanti	9.1-r15 (including)	9.1-r15 (including)
Connect_secure	Ivanti	9.1-r15.2 (including)	9.1-r15.2 (including)
Connect_secure	Ivanti	9.1-r16 (including)	9.1-r16 (including)
Connect_secure	Ivanti	9.1-r16.1 (including)	9.1-r16.1 (including)
Connect_secure	Ivanti	9.1-r17 (including)	9.1-r17 (including)
Connect_secure	Ivanti	9.1-r17.1 (including)	9.1-r17.1 (including)
Connect_secure	Ivanti	9.1-r17.2 (including)	9.1-r17.2 (including)
Connect_secure	Ivanti	9.1-r18 (including)	9.1-r18 (including)
Connect_secure	Ivanti	9.1-r18.1 (including)	9.1-r18.1 (including)
Connect_secure	Ivanti	9.1-r18.2 (including)	9.1-r18.2 (including)
Connect_secure	Ivanti	9.1-r18.3 (including)	9.1-r18.3 (including)
Connect_secure	Ivanti	9.1-r18.7 (including)	9.1-r18.7 (including)
Connect_secure	Ivanti	9.1-r18.8 (including)	9.1-r18.8 (including)
Connect_secure	Ivanti	9.1-r18.9 (including)	9.1-r18.9 (including)
Connect_secure	Ivanti	9.1-r4.3 (including)	9.1-r4.3 (including)
Connect_secure	Ivanti	9.1-r8 (including)	9.1-r8 (including)
Connect_secure	Ivanti	21.9-r1 (including)	21.9-r1 (including)
Connect_secure	Ivanti	21.12-r1 (including)	21.12-r1 (including)
Connect_secure	Ivanti	22.1-r1 (including)	22.1-r1 (including)
Connect_secure	Ivanti	22.1-r6 (including)	22.1-r6 (including)
Connect_secure	Ivanti	22.7 (including)	22.7 (including)
Connect_secure	Ivanti	22.7-r1 (including)	22.7-r1 (including)
Connect_secure	Ivanti	22.7-r1.1 (including)	22.7-r1.1 (including)
Connect_secure	Ivanti	22.7-r1.2 (including)	22.7-r1.2 (including)
Connect_secure	Ivanti	22.7-r1.3 (including)	22.7-r1.3 (including)
Connect_secure	Ivanti	22.7-r1.4 (including)	22.7-r1.4 (including)
Connect_secure	Ivanti	22.7-r1.5 (including)	22.7-r1.5 (including)
Connect_secure	Ivanti	22.7-r2 (including)	22.7-r2 (including)
Connect_secure	Ivanti	22.7-r2.1 (including)	22.7-r2.1 (including)
Connect_secure	Ivanti	22.7-r2.2 (including)	22.7-r2.2 (including)
Connect_secure	Ivanti	22.7-r2.3 (including)	22.7-r2.3 (including)
Connect_secure	Ivanti	22.7-r2.4 (including)	22.7-r2.4 (including)
Neurons_for_zero-trust_access	Ivanti	- (including)	- (including)
Neurons_for_zero-trust_access	Ivanti	22.2-r1 (including)	22.2-r1 (including)
Neurons_for_zero-trust_access	Ivanti	22.2-r4 (including)	22.2-r4 (including)
Neurons_for_zero-trust_access	Ivanti	22.2-r5 (including)	22.2-r5 (including)
Neurons_for_zero-trust_access	Ivanti	22.3-r1 (including)	22.3-r1 (including)
Neurons_for_zero-trust_access	Ivanti	22.3-r4 (including)	22.3-r4 (including)
Neurons_for_zero-trust_access	Ivanti	22.4-r1 (including)	22.4-r1 (including)
Neurons_for_zero-trust_access	Ivanti	22.4-r3 (including)	22.4-r3 (including)
Neurons_for_zero-trust_access	Ivanti	22.5-r1 (including)	22.5-r1 (including)
Neurons_for_zero-trust_access	Ivanti	22.5-r1.2 (including)	22.5-r1.2 (including)
Neurons_for_zero-trust_access	Ivanti	22.6-r1 (including)	22.6-r1 (including)
Neurons_for_zero-trust_access	Ivanti	22.6-r1.2 (including)	22.6-r1.2 (including)
Neurons_for_zero-trust_access	Ivanti	22.6-r1.3 (including)	22.6-r1.3 (including)
Neurons_for_zero-trust_access	Ivanti	22.6-r1.5 (including)	22.6-r1.5 (including)
Neurons_for_zero-trust_access	Ivanti	22.6-r1.6 (including)	22.6-r1.6 (including)
Neurons_for_zero-trust_access	Ivanti	22.6-r1.7 (including)	22.6-r1.7 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r1 (including)	22.7-r1 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r1.2 (including)	22.7-r1.2 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r1.3 (including)	22.7-r1.3 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r1.4 (including)	22.7-r1.4 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r1.5 (including)	22.7-r1.5 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r1.6 (including)	22.7-r1.6 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r2 (including)	22.7-r2 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r2.2 (including)	22.7-r2.2 (including)
Neurons_for_zero-trust_access	Ivanti	22.7-r2.3 (including)	22.7-r2.3 (including)
Policy_secure	Ivanti	*	22.7 (excluding)
Policy_secure	Ivanti	22.7 (including)	22.7 (including)
Policy_secure	Ivanti	22.7-r1 (including)	22.7-r1 (including)
Policy_secure	Ivanti	22.7-r1.1 (including)	22.7-r1.1 (including)
Policy_secure	Ivanti	22.7-r1.2 (including)	22.7-r1.2 (including)

Potential Mitigations

Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Run or compile the software using features or extensions that randomly arrange the positions of a program’s executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as “rebasing” (for Windows) and “prelinking” (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283

NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-0283
CWE	https://cwe.mitre.org/data/definitions/121.html

Stack-based Buffer Overflow

Weakness

Affected Software

Potential Mitigations

References