CVE-2025-5462
📛 CVE Title
CVE-2025-5462
Description
A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- HIGH
- CVSS score
- 7.5 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H- Effective score
- 7.5 / 10 HIGH source: CNA overview
- CWE(s)
-
CWE-122 - Reserved
- 2025-06-02
- Published
- 2025-08-12 16:56 UTC
- Last updated
- 2025-08-12 17:08 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/5xxx/CVE-2025-5462.json
- Linked Threat
- CVE-2025-5462 — CVE-2025-5462
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2025-24253 - Assigner
- ivanti
- Published
- Aug 12, 2025, 2:56:19 PM
- Updated
- Aug 12, 2025, 3:08:46 PM
- EUVD base score (CVSS 3.1)
-
7.5 / 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - EUVD-reported EPSS
- 0.5800
- Vendors
- Ivanti
- Products
-
Neurons for Secure Access (patch: 22.8R1.4 (Fix deployed on 02-Aug-2025))Connect Secure (patch: 22.7R2.8)ZTA Gateway (patch: 22.8R2.3-723)Policy Secure (patch: 22.7R1.5)Connect Secure (patch: 22.8R2)
- Aliases
-
GHSA-ph7j-5qgh-2m7f
ENISA description: A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service.
Affected products (4)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | Connect Secure |
22.7R2.8 (unaffected),
22.8R2 (unaffected)
|
— |
| Ivanti | Policy Secure |
22.7R1.5 (unaffected)
|
— |
| Ivanti | ZTA Gateway |
22.8R2.3-723 (unaffected)
|
— |
| Ivanti | Neurons for Secure Access |
22.8R1.4 (Fix deployed on 02-Aug-2025) (unaffected)
|
— |
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:epatch.pa.gov
Why does PATCH exist? Its purpose is to better enable the public to obtain criminal history record checks. The repository was created and is maintained in accordance with Pennsylvania's Criminal History Information Act contained in Chapter 91 of Title 18, Crimes Code. This Act also directs the Pennsylvania State Police (PSP) to disseminate criminal history data to criminal justice agencies ...
2026-05-22 14:50 UTC -
web:learn.microsoft.com
Microsoft December 2025 Security Updates This release consists of the following 57 Microsoft CVEs : Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations ? Windows PowerShell CVE - 2025 -54100 Windows Projected File System…
2026-05-22 14:50 UTC -
web:patch.com
The best breaking news, stories, and events from the Patch network of local news sites
2026-05-22 14:50 UTC -
web:patchnashville.com
Patch was born out of a love of children's fashion and classic yet modern gifting. The goal was to create a timeless yet modern boutique with a playful touch featuring children's clothing, gifts, & accessories. My hope is that you always find what you came for and feel as inspired by our collections as we are.
2026-05-22 14:50 UTC -
web:support.apple.com
About the security content of iOS 26.2 and iPadOS 26.2 This document describes the security content of iOS 26.2 and iPadOS 26.2. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page. Apple ...
2026-05-22 14:50 UTC -
web:threatprotect.qualys.com
Zero-day Vulnerabilities Patched in April Patch Tuesday Edition CVE -2026-33825: Microsoft Defender Elevation of Privilege Vulnerability Microsoft Defender is a comprehensive, AI-powered security suite that provides malware protection, phishing detection, and web protection for individuals and businesses.
2026-05-22 14:50 UTC -
web:www.cve.org
At cve .org, we provide the authoritative reference method for publicly known information-security vulnerabilities and exposures
2026-05-22 14:50 UTC -
web:www.patchcareerinstitute.com
P.A.T.C.H . Career Institute's mission is to provide quality training to students in the medical and vocational field. Our primary focus is to provide affordable, and competitive educational training for low to moderate income students.
2026-05-22 14:50 UTC -
web:www.romhacking.net
Add temporary header() Patch file: Apply patch Original ROM: Modified ROM: Patch type: IPS BPS PPF UPS APS RUP Create patch Settings Rom Patcher JS v2.9 by Marc Robledo See on GitHub Donate Language English Français Deutsch Italiano Español Nederlands Svenska Català Valencià Português Brasileiro Russian 日本語 中文(简体) 中文 ...
2026-05-22 14:50 UTC -
web:www.tenable.com
A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 ( Fix deployed on 02-Aug- 2025 ) allows a remote unauthenticated attacker to trigger a denial of service.
2026-05-22 14:50 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
Web references (5)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
- http://cwe.mitre.org/data/definitions/122.html rapid7:cwe.mitre.org
- https://attackerkb.com/topics/CVE-2025-5462 rapid7:attackerkb.com
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-24253 rapid7:euvd.enisa.europa.eu
- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-Multiple-CVEs?language=en_US rapid7:forums.ivanti.com
- https://www.cve.org/CVERecord?id=CVE-2025-5462 rapid7:www.cve.org
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2025-5462.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-12T15:08:33.741307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-12T15:08:46.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Connect Secure",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.7R2.8"
},
{
"status": "unaffected",
"version": "22.8R2"
}
]
},
{
"defaultStatus": "affected",
"product": "Policy Secure",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.7R1.5"
}
]
},
{
"defaultStatus": "affected",
"product": "ZTA Gateway",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.8R2.3-723"
}
]
},
{
"defaultStatus": "affected",
"product": "Neurons for Secure Access",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.8R1.4 (Fix deployed on 02-Aug-2025)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "<span style=\"background-color: rgb(255, 255, 255);\">A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span><br>"
}
],
"value": "A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100: Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-12T14:56:19.798Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-Multiple-CVEs?language=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2025-5462",
"datePublished": "2025-08-12T14:56:19.798Z",
"dateReserved": "2025-06-02T10:29:36.011Z",
"dateUpdated": "2025-08-12T15:08:46.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}