Ivanti Vulnerabilities CVE 2025 0282 And CVE 2025 0283
Query
DeviceTvmSoftwareInventory
| where SoftwareVendor has "ivanti"
| extend SoftwareVersionD =replace_string(SoftwareVersion,".","")
| extend firstDigits = toint(substring(SoftwareVersionD,0,5))
| where firstDigits < 22731 and (SoftwareName startswith "ivanti_secure_access" or SoftwareName has "pulse_application_launcher" )
| distinct DeviceName,SoftwareVersion, SoftwareName, SoftwareVendor ```About this query
Ivanti Vulnerabilities CVE-2025-0282 and CVE-2025-0283
ššš-šššš-šššš 9.0 (Critical) A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
ššš-šššš-šššš 7.0 (High) A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
This query detect previous versions of Ivanti Connect Secure 22.7R2.5 to be updated ASAP using the patch provided by Ivanti.
Ivanti Secure Access Client: ivanti_secure_access = VPN client Only pulse_application_launcher = VPN client with launcher (needed for MFA login with mini browser in client )
Explanation
This query is designed to identify devices that are running outdated versions of Ivanti software, which are vulnerable to two specific security issues, CVE-2025-0282 and CVE-2025-0283. Here's a simplified breakdown of what the query does:
-
Data Source: It looks at the
DeviceTvmSoftwareInventorytable, which contains information about software installed on devices. -
Filter by Vendor: It filters the data to only include software from the vendor "Ivanti."
-
Version Processing:
- It removes the dots from the software version numbers to make them easier to compare numerically.
- It extracts the first five digits of this modified version number to facilitate version comparison.
-
Version Check:
- It checks if the extracted version number is less than 22731, which corresponds to versions before 22.7R2.5. - It further filters the results to include only software names that start with "ivanti_secure_access" or contain "pulse_application_launcher."
-
Output:
- It lists distinct devices with their software version, name, and vendor that meet the criteria.
The goal of this query is to identify devices that need to be updated to a newer version of Ivanti software to mitigate the risks associated with the identified vulnerabilities. The query specifically targets Ivanti Secure Access Client and Pulse Application Launcher, which are used for VPN access and may require updates to ensure security.
Details

Sergio Albea
Released: January 15, 2025
Tables
Keywords
Operators