Cyber Security Alert: CVE affecting certain Ivanti products

The NCSC would like to draw your attention to a critical vulnerability affecting Ivanti Connect Secure, Pulse Connect Secure, Policy Secure and Neurons for ZTA gateways.

CVE-2025-22457(external link) is a critical buffer overflow vulnerability affecting Ivanti Connect Secure that could allow a remote attacker to achieve remote code execution. The NCSC is aware of public reporting of active exploitation against Ivanti Connect Secure and Pulse Connect Secure.

The vulnerability affects these products: 

  • Ivanti Connect Secure versions 22.7R2.5 and earlier
  • Pulse Connect Secure versions 9.1x 
  • Policy Secure (all versions)  
  • Neurons for ZTA gateways (all versions)

The NCSC encourages organisations in New Zealand that use the affected product to review the vendor advisory(external link) and apply the remediation as soon as possible. 

Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.

For more NCSC NZ updates, follow us on LinkedIn(external link).