Zero-day exploits plague Ivanti Connect Secure appliances for second year running

The cybersecurity industry is urging those in charge of defending their orgs to take mitigation efforts "seriously" as Ivanti battles two dangerous new vulnerabilities, one of which was already being exploited as a zero-day.

It's just under a year since the last high-profile security snafu hit the vendor and now two new flaws are ready to be patched at the earliest opportunity:

• CVE-2025-0282 (9.0 severity – critical): The worst of the two is a stack-based buffer overflow bug leading to unauthenticated remote code execution. This is the one that was already exploited, affecting Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3.

• CVE-2025-0283 (7.0 severity – high): The lesser of the two evils is another stack-based buffer overflow leading to privilege escalation for locally authenticated attackers. The same products and versions ...