Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN511 _____________________________________________________________________ DATE : 13/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Ivanti Avalanche, Ivanti Virtual Application Delivery Control (vADC) (previously known as vTM), Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access. ===================================================================== https://www.ivanti.com/blog/august-2025-security-update https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-CVE-2025-8296-CVE-2025-8297?language=en_US https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Virtual-Application-Delivery-Controller-vADC-previously-vTM-CVE-2025-8310?language=en_US https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-Multiple-CVEs?language=en_US _____________________________________________________________________ August 2025 Security Update Last updated: August 12, 2025 Security Advisory Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of rigorous scrutiny and a proactive vulnerability management program. By aggressively seeking to identify and address vulnerabilities, our aim is to get ahead of threat actors to ensure our customers can take the steps needed to protect their environments. At the core, we believe that responsible transparency helps protect our customers. We believe that responsible transparency helps protect our customers, and that CVE disclosures are an essential and effective tool to communicate software vulnerabilities. The purpose of assigning a CVE is to provide a beacon to security teams and signal the need for urgent updates. To that end, today Ivanti is disclosing vulnerabilities in Ivanti Avalanche, Ivanti Virtual Application Delivery Control (vADC) (previously known as vTM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access. It is important for customers to know: We have no evidence of any of these vulnerabilities being exploited in the wild. These vulnerabilities do not impact any other Ivanti solutions. More information on these vulnerabilities and detailed instructions on how to remediate the issues can be found in these Security Advisories: Ivanti Avalanche Ivanti vADC Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required). Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program. _____________________________________________________________________ Security Advisory Ivanti Avalanche (CVE-2025-8296, CVE-2025-8297) Primary Product Avalanche Created Date 30 Jul 2025 18:29:35 Last Modified Date 12 Aug 2025 14:00:28 Summary Ivanti has released updates for Ivanti Avalanche which addresses two high severity vulnerabilities. Successful exploitation could lead to authenticated remote code execution. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. Vulnerability Details: CVE Number Description CVSS Score (Severity) CVSS Vector CWE CVE-2025-8296 SQL injection in Ivanti Avalanche before version 6.4.8.8005 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution 7.2 (High) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CWE-89 CVE-2025-8297 Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8005 allows a remote authenticated attacker with admin privileges to achieve remote code execution. 7.2 (High) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CWE-434 Affected Versions Product Name Affected Version(s) Affected CPE(s) Resolved Version(s) Patch Availability Ivanti Avalanche 6.4.6 and prior cpe:2.3:a:ivanti:avalanche:6.4.6:*:*:*:premise:*:*:* 6.4.8.8008 Download Portal Solution Download the Avalanche 6.4.8 8008 installer from the download portal link. Install the patch to address the noted CVE numbers in this article. As always, it is recommended to take a database backup and/or system image before performing any installations or upgrades. Acknowledgements Ivanti would like to thank the following for reporting the relevant issues and for working with Ivanti to help protect our customers: Kevin Salapatek working with Trend Zero Day Initiative (CVE-2025-8296, CVE-2025-8297) Note: Ivanti is dedicated to ensuring the security and integrity of our enterprise software products. We recognize the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. Visit HERE to learn more about our Vulnerability Disclosure Policy. FAQ Are you aware of any active exploitation of these vulnerabilities? We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program. How can I tell if I have been compromised? Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise. What should I do if I need help?  If you have questions after reviewing this information, you can log a case and/or request a call via the Success Portal  I am having trouble logging into the Download Portal If you have any issues accessing the download portal, first try resetting your password. If issues persist, please contact Technical Support for additional assistance. Article Number : 000101164 Article Promotion Level Normal _____________________________________________________________________ August Security Advisory Ivanti Virtual Application Delivery Controller (vADC previously vTM) (CVE-2025-8310) Primary Product Created Date 12 Aug 2025 14:04:05 Last Modified Date 12 Aug 2025 14:59:24 Summary Ivanti has released updates for Ivanti Virtual Application Delivery Controller (vADC), previously Virtual Traffic Manager (vTM), which addresses one medium severity vulnerability. Successful exploitation could lead to account takeover. We are not aware of any customers being exploited by this vulnerability at the time of disclosure.[YS1] [BT2] Vulnerability Details: CVE Number Description CVSS Score (Severity) CVSS Vector CWE CVE-2025-8310 Missing authorization in the admin console of Ivanti Virtual Application Delivery Controller before version 22.9 allows a remote authenticated attacker to take over admin accounts by resetting the password 6.3(Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CWE-862 Affected Versions Product Name Affected Version(s) Resolved Version(s) Patch Availability Ivanti Virtual Application Delivery Controller (vADC) 22.8R2 and prior 22.9 Download Portal https://portal.ivanti.com/ Solution These vulnerabilities are resolved in Ivanti Virtual Application Delivery Controller (vADC) 22.9 and can be accessed in the download portal. Mitigation or Workaround This vulnerability is accessible over the management interface. To limit exploitability of this vulnerability, it is industry best practice and advised by Ivanti to limit Admin Access to the Management Interface to the internal network through the private / corporate network. Acknowledgements Ivanti would like to thank the following for reporting the relevant issues and for working with Ivanti to help protect our customers: NCIA researcher Jahmel Harris (CVE-2025-8310) Note: Ivanti is dedicated to ensuring the security and integrity of our enterprise software products. We recognize the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. Visit HERE to learn more about our Vulnerability Disclosure Policy. FAQ Are you aware of any active exploitation of these vulnerabilities? We are not aware of any customers being exploited by this vulnerability prior to public disclosure. This vulnerability was disclosed through our responsible disclosure program. How can I tell if I have been compromised? Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise. What should I do if I need help? If you have questions after reviewing this information, you can log a case and/or request a call via the Success Portal Article Number : 000101363 Article Promotion Level Normal _____________________________________________________________________ August Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (Multiple CVEs) Primary Product Connect-Secure Created Date 12 Aug 2025 14:04:00 Last Modified Date 13 Aug 2025 14:03:47 Summary Ivanti has released updates for Ivanti Connect Secure which addresses medium, high, and critical vulnerabilities. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. Vulnerability Details: CVE Number Description CVSS Score (Severity) CVSS Vector CWE CVE-2025-5456 A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service. 7.5 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-125 CVE-2025-5462 A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service. 7.5 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-122, CWE-476 CVE-2025-5466 XXE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service. 4.9 (Medium) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CWE-776 CVE-2025-5468 Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk. 5.5 (Medium) CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-61 Affected Versions Product Name Affected Version(s) Resolved Version(s) Patch Availability Ivanti Connect Secure (ICS) 22.7R2.7 and prior 22.7R2.8 or above, OR 22.8R2 Download Portal https://portal.ivanti.com/ Ivanti Policy Secure (IPS) 22.7R1.4 and prior 22.7R1.5 Download Portal https://portal.ivanti.com/ Ivanti ZTA Gateway 22.8R2.2 22.8R2.3-723 Available in controller for download since 2 August, 2025. Ivanti Neurons for Secure Access 22.8R1.3 and prior 22.8R1.4 Fix applied to cloud environments on 2 August, 2025 Solution Ivanti Connect Secure: update to version 22.7R2.8 OR version 22.8R2, customers can access these versions through the standard download portal. Ivanti Policy Secure: update to version 22.7R1.5, customers can access this version through the standard download portal. ZTA Gateways: version 22.8R2.3-723 is available in the controller for download. Neurons for Secure Access: these issues were resolved in the cloud product on 2 August, 2025. There is no additional action required for customers. Mitigation: CVE-2025-5466: the risk of this vulnerability is significantly reduced if a customer does not expose their admin portal to the internet. Additionally, we always recommend that customers follow Security Configuration Best Practices which helps to reduce the risk to their environment. FAQ 1: Are you aware of any active exploitation of these vulnerabilities? We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were discovered internally or disclosed through our responsible disclosure program. 2: How can I tell if I have been compromised? Currently, there is no known public exploitation of these vulnerabilities that could be used to provide a list of indicators of compromise. 3: What should I do if I need help? If you have questions after reviewing this information, you can log a case and/or request a call via the Success Portal. 4: Are any of these vulnerability fixes backported to any of the 9.x versions? No. The Pulse Connect Secure 9.x version of the product reached End of Engineering June 2024 and has reached End-of-Support as of December 31, 2024. Because of this, the 9.x version of Connect Secure no longer receives backported fixes. We strongly encourage customers to upgrade to Ivanti Connect Secure and remain on the latest version to benefit from important security updates that we have made throughout the solution. Article Number : 000101362 Article Promotion Level Normal ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================