Ivanti Connect Secure RCE Flaws Exploited, Legacy Pulse Secure Left Unpatched
Ivanti disclosed multiple critical vulnerabilities affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA Gateway, including CVE-2025-0282 (CVSS 9.0), a stack-based buffer overflow that allows unauthenticated remote code execution, and CVE-2025-0283 (CVSS 7.0), which enables privilege escalation. Ivanti said CVE-2025-0282 has been exploited in the wild against Ivanti Connect Secure, prompting urgent guidance for organizations to upgrade to fixed releases and use the Integrity Checker Tool to look for signs of compromise.
Authorities later warned that CVE-2025-22457 is also being actively exploited in Ivanti Connect Secure and Pulse Connect Secure, allowing remote command execution on vulnerable systems. Ivanti Connect Secure addressed that flaw in version 22.7R2.6, but Pulse Connect Secure 9.x has no patch and will not receive one, leaving migration and retirement as the only mitigation for legacy deployments. While Ivanti Policy Secure and ZTA Gateway are also affected by CVE-2025-22457, exploitation had not been observed in those products at the time of reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Finnish NCSC contacts organizations still running outdated Ivanti versions
The Finnish National Cyber Security Centre said most domestic organizations had already updated affected systems and that it had contacted some organizations still using older vulnerable versions. The outreach followed reports of exploitation in older Ivanti and Pulse deployments.
Active exploitation of CVE-2025-22457 reported in Ivanti and Pulse products
Active exploitation of CVE-2025-22457 was reported in Ivanti Connect Secure and legacy Pulse Connect Secure systems. Pulse Connect Secure 9.x had no patch and no planned future fix, prompting guidance to migrate away from the unsupported product.
Ivanti releases fix for CVE-2025-22457 in Connect Secure
Ivanti released version 22.7R2.6 for Ivanti Connect Secure in February to fix CVE-2025-22457, a flaw that can enable remote command execution. The issue also affected Ivanti Policy Secure and ZTA Gateway, though exploitation was not observed in those products.
Ivanti discloses CVE-2025-0282 and CVE-2025-0283 with active exploitation
Ivanti disclosed critical vulnerabilities affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA Gateway. It said CVE-2025-0282, a remote code execution flaw, had already been exploited in Ivanti Connect Secure, while CVE-2025-0283 allowed privilege escalation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Ivanti Connect Secure -haavoittuvuuden hyväksikäyttöä havaittu vanhemmissa versioissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceIvanti Connect Secure -haavoittuvuuden hyväksikäyttöä havaittu | Traficom
kyberturvallisuuskeskus.fi
Open sourceIvanti Connect Secure -haavoittuvuuden hyväksikäyttöä havaittu | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti patches multiple Connect Secure and ZTA flaws enabling DoS and file read
Ivanti released security updates for **Ivanti Connect Secure**, **Policy Secure**, **ZTA Gateway**, and **Neurons for Secure Access** to fix four vulnerabilities, including two high-severity remote unauthenticated denial-of-service flaws tracked as `CVE-2025-5456` and `CVE-2025-5462`. The bugs stem from memory-safety weaknesses including a buffer over-read and a heap-based buffer overflow that can be triggered through crafted network input, potentially crashing appliances that provide VPN, zero-trust, and access-control services. Ivanti said cloud instances of Neurons for Secure Access were remediated by **August 2, 2025**, while on-premises customers must apply the fixed releases. The same advisory also addressed `CVE-2025-5466`, an authenticated administrator **XXE** issue that can cause denial of service, and `CVE-2025-5468`, a symbolic link handling flaw that could let a local authenticated attacker read arbitrary files. Ivanti said it had no evidence of customer exploitation before disclosure and that the issues were found through internal assessments and responsible disclosure, but the breadth of affected products increases operational risk for enterprises relying on Ivanti remote access infrastructure. The company also noted that **Pulse Connect Secure 9.x** no longer receives backported fixes because it has reached end of support.
Jun 12, 2026
Ivanti fixes Connect Secure, Policy Secure, and Neurons for ITSM vulnerabilities
Ivanti issued security updates for multiple enterprise products, including **Ivanti Connect Secure**, **Policy Secure**, and **Ivanti Neurons for ITSM**, as the company continued remediation across its remote access and IT service management portfolio. The Neurons for ITSM fixes arrived in version **2025.4** and addressed **CVE-2026-4913** and **CVE-2026-4914**, affecting version **2025.3** and earlier in both on-premises and cloud deployments; Ivanti said cloud instances had already been patched and urged on-premises customers to upgrade through the Ivanti License System. According to Ivanti, **CVE-2026-4913** is an improper path protection flaw that could allow a remote authenticated attacker to retain access after an administrator disables the account, while **CVE-2026-4914** is a stored **XSS** issue that could let an authenticated attacker access limited data from other users’ sessions. Ivanti said it was not aware of active exploitation and had no indicators of compromise for the Neurons flaws, while its separate advisory for Connect Secure and Policy Secure signaled additional security remediation affecting those products.
Jun 3, 2026
Ivanti Patches RCE and Privilege Escalation Flaws in Secure Access Client and vTM
Ivanti released security updates for two enterprise products, fixing multiple vulnerabilities in **Ivanti Secure Access Client for Windows** and **Ivanti Virtual Traffic Manager (vTM)**. In Secure Access Client, version `22.8R6` addresses **CVE-2026-7431**, an incorrect permissions issue that could let a local authenticated user read or modify sensitive log data; **CVE-2026-7432**, a race condition that could allow local privilege escalation to `SYSTEM`; and **CVE-2026-8992`, an improper certificate validation flaw that could enable remote unauthenticated code execution. Ivanti said affected Secure Access Client versions are `22.8R5` and earlier and advised customers to upgrade to `22.8R6`. Ivanti also patched **CVE-2026-8051** in **Ivanti Virtual Traffic Manager**, a high-severity `CWE-78` OS command injection vulnerability with a CVSS score of `7.2` that could allow a remote authenticated administrator to achieve remote code execution. The flaw affects vTM `22.9r3` and earlier and is fixed in `22.9r4`. Ivanti said it was not aware of customer exploitation of any of the disclosed issues before publication and said the vulnerabilities were reported through its responsible disclosure program, crediting William Söderberg of Reversec for the vTM finding.
Jun 21, 2026