SB2025070874 - Multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025070874

SB2025070874 - Multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure

Published: July 8, 2025

Security Bulletin ID SB2025070874
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 17% Low 83%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2025-5450)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote admin with read-only rights can  modify settings that should be restricted.


2) Stack-based buffer overflow (CVE-ID: CVE-2025-5451)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A remote privileged user can trigger a stack-based buffer overflow and perform a denial of service (DoS) attack. 


3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2025-5463)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.


4) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2025-5464)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.


5) CRLF injection (CVE-ID: CVE-2025-0293)

The vulnerability allows a remote user to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data. A remote privileged user can pass specially crafted data to the application containing CR-LF characters and modify application behavior.


6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-0292)

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote privileged user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


Remediation

Install update from vendor's website.

References