Ivanti released fixes for four critical vulnerabilities across its Connect Secure, Policy Secure and Cloud Services Application (CSA) products Tuesday, including a flaw with a CVSS score of 9.9 that could be exploited by an attacker with low privileges.
This most severe bug, tracked as CVE-2025-22467 and affecting Ivanti Connect Secure versions prior to 22.7R2.6, is a stack-based buffer overflow that could lead to remote code execution (RCE) by an authenticated attacker. Unlike the other three critical flaws, CVE-2025-22467 does not require administrator privileges to exploit.
The other three critical flaws have CVSS scores of 9.1 and can be exploited by a remote authenticated attacker with admin privileges. CVE-2024-38657, affecting Ivanti Connect Secure versions prior to 22.7R2.4 and Policy Secure versions prior to 22.7R1.3, can enable an attacker to write arbitrary files via external control of files names.
CVE-2024-10644 is a code injection flaw affecting the same versions of Connect Secure and Policy Secure as CVE-2024-38657 and could lead to RCE.
CVE-2024-47908, which affects Ivanti CSA versions before 5.0.5, involves an operating system command injection flaw in the admin web console and could also lead to RCE by an authenticated attacker with admin privileges.
Ivanti customers can resolve these critical flaws by installing the latest product versions: Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3 and Ivanti CSA 5.0.5.
There is no indication these flaws have been exploited in the wild, Ivanti noted, and immediate patching is recommended to prevent exploitation. Ivanti also recommends following its security configuration best practices to help prevent bad actors from passing authentication to exploit flaws like CVE-2025-22467.
Ivanti vulnerabilities are frequently targeted by threat actors, including state-sponsored threat groups. Earlier this year, Ivanti released an emergency patch for an exploited zero-day in Connect Secure tracked as CVE-2025-0282 that could lead to remote system takeover.
There are currently 24 flaws in Ivanti products included the Known Exploited Vulnerabilities (KEV) catalog maintained by the US Cybersecurity & Infrastructure Security Agency (CISA), half of which were added in 2024 and 2025.
“In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have also made enhancements to our responsible disclosure process so that we promptly discover and address potential issues, and so that our customers are best equipped to take action,” Ivanti said in its security advisory.
The latest fixes were released as part of Ivanti’s regular security update published on the second Tuesday of every month.
“For many of our customers, the predictable schedule facilitates better planning and management for IT resources, allowing them to allocate time and personnel efficiently for the timely updates,” the advisory stated.
In addition to the critical bugs, seven other medium and high-severity flaws were patched across Ivanti Connect Secure, Policy Secure, Secure Access Client, Cloud Services Application and Ivanti Neurons for MDM.
