CVE-2025-0283

ENISA EUVD: EUVD-2025-1581 ↗

✓ Confirmed 0-Day

Triaged: March 5, 2026 4 articles Published: 2025-01-08

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23

41.83%

probability

This CVE has a 41.83% probability of being exploited in the next 30 days.

0% Top 97.5th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

HIGH

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

Affected Products

Ivanti

Connect Secure

22.7R2.5

Ivanti

Policy Secure

22.7R1.2

Ivanti

Neurons for ZTA gateways

22.7R2.5

ivanti

connect secure

ivanti

neurons for zero-trust access

ivanti

policy secure

Ivanti

Policy Secure

22.7R1.2

Ivanti

Neurons for ZTA gateways

patch: 22.7R2.5

Ivanti

Connect Secure

patch: 22.7R2.5

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-121 · Stack-based Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write CWE-788 · Access of Memory Past End of Buffer

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283

Signal Intelligence

Confidenceⓘ

87%

EPSS 41.83%

CVSS v3.1 7

Mentions 4

Last Seen Jan 10, 2025

CNA Information

CNA Assigner

ivanti

Analyst Note

CVE-2025-0283 is explicitly named as a zero-day in the BleepingComputer headline 'Ivanti warns of new Connect Secure flaw used in zero-day attacks.' Published 2025-01-08 with immediate exploitation reports and patches deployed within days, establishing clear zero-day criteria: active wild exploitation concurrent with patch availability.