Ivanti: Security Vulnerabilities
A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service. CWE-125
CVSS Score
7.5
EPSS Score
0.006
Published
2025-08-12
A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service.
CVSS Score
7.5
EPSS Score
0.005
Published
2025-08-12
A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request.
CVSS Score
4.9
EPSS Score
0.008
Published
2025-07-12
A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.
CVSS Score
9.0
EPSS Score
0.0
Published
2025-07-12
A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.
CVSS Score
9.8
EPSS Score
0.02
Published
2025-07-12
Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-07-08
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
CVSS Score
7.2
EPSS Score
0.08
Published
2025-07-08
CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk.
CVSS Score
6.6
EPSS Score
0.0
Published
2025-07-08
SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services.
CVSS Score
5.5
EPSS Score
0.005
Published
2025-07-08
SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database
CVSS Score
7.2
EPSS Score
0.003
Published
2025-07-08