Ivanti has published security updates for its Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) products, addressing a range of vulnerabilities with severity levels from medium to critical. The company stated that no known exploits had been observed at the time of disclosure but urged users to install the updates without delay. The vulnerabilities were reported through Ivanti’s responsible disclosure programme, with contributions from security researchers at the Cybersecurity and Infrastructure Security Agency (CISA) , Akamai, and the HackerOne bug bounty platform. The flaws impact different components of Ivanti’s security products, with potential consequences including remote code execution, arbitrary file access, and privilege escalation.
Critical vulnerabilities identified
Among the most severe issues, CVE-2025-22467 is a stack-based buffer overflow in ICS, allowing a remote authenticated attacker to execute arbitrary code. CVE-2024-38657, affecting both ICS and IPS, enables attackers with administrative privileges to write arbitrary files remotely. CVE-2024-10644 is a code injection vulnerability that could allow the remote execution of commands on ICS and IPS by an authenticated user with admin rights.
These vulnerabilities have been assigned critical severity scores, with CVE-2025-22467 rated at 9.9 and the others at 9.1. While authentication is required for exploitation, compromised credentials obtained through phishing, brute force attacks, or previous breaches could enable attackers to take advantage of these flaws.
In addition to the critical vulnerabilities, Ivanti has addressed several medium and high-severity flaws. CVE-2024-12058 allows an attacker with administrative access to read arbitrary files in ICS and IPS. CVE-2024-13830, a reflected cross-site scripting (XSS) vulnerability, could allow an unauthenticated attacker to escalate privileges if a user interacts with a malicious link.
Other vulnerabilities include CVE-2024-13842 and CVE-2024-13843, which involve the use of hardcoded cryptographic keys and cleartext storage of sensitive data. These flaws could be exploited by a local unauthenticated attacker to access sensitive information. Additionally, CVE-2024-13813 affects ISAC and could allow an authenticated user to delete arbitrary files due to insufficient permission controls.
The vulnerabilities affect ICS versions 22.7R2.5 and earlier, IPS versions 22.7R1.2 and earlier, and ISAC versions 22.7R4 and earlier. Ivanti has issued patches in ICS version 22.7R2.6, IPS version 22.7R1.3, and ISAC version 22.8R1. These versions are now available for download.
Ivanti confirmed that Pulse Connect Secure 9.x is also affected by these vulnerabilities but will not receive any fixes. Engineering support for this version ended in June 2024, and full support ceased in December 2024. Customers using this version are advised to migrate to Ivanti Connect Secure 22.7 for continued security updates. The company has not provided temporary mitigations for these vulnerabilities. The company recommends that users apply the available patches as the only effective solution to secure affected systems. In January, Ivanti revealed a critical security vulnerability, CVE-2025-0282, which has been exploited in zero-day attacks targeting ICS appliances. The flaw enables remote code execution without authentication. The company also reported CVE-2025-0283, which affects Connect Secure, Policy Secure, and Neurons for ZTA gateways.
Read more: Ivanti patches high-severity vulnerabilities in CSA after exposure of critical flaws
