KQL Search

Query Details

HomeAI ToolsDevice Query

Ivanti Vulnerabilities CVE 2025 0282 And CVE 2025 0283

Query

**Ivanti Vulnerabilities CVE-2025-0282 and CVE-2025-0283**

š‚š•š„-šŸšŸŽšŸšŸ“-šŸŽšŸšŸ–šŸ  9.0 (Critical) 
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. 

š‚š•š„-šŸšŸŽšŸšŸ“-šŸŽšŸšŸ–šŸ‘ 7.0 (High)
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges. 

This query detect previous versions of Ivanti Connect Secure 22.7R2.5 to be updated ASAP using the patch provided by Ivanti.

**Ivanti Secure Access Client**:
ivanti_secure_access = VPN client Only
pulse_application_launcher = VPN client with launcher (needed for MFA login with mini browser in client )


```
DeviceTvmSoftwareInventory
| where SoftwareVendor has "ivanti"
| extend SoftwareVersionD =replace_string(SoftwareVersion,".","")
| extend firstDigits = toint(substring(SoftwareVersionD,0,5))
| where firstDigits < 22731 and (SoftwareName startswith "ivanti_secure_access" or SoftwareName has "pulse_application_launcher" )
| distinct DeviceName,SoftwareVersion, SoftwareName, SoftwareVendor ```

Explanation

This query is designed to identify devices that are running outdated versions of Ivanti software, which are vulnerable to two specific security issues, CVE-2025-0282 and CVE-2025-0283. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at the DeviceTvmSoftwareInventory table, which contains information about software installed on devices.

  2. Filter by Vendor: It filters the data to only include software from the vendor "Ivanti."

  3. Version Processing:

    • It removes the dots from the software version numbers to make them easier to compare numerically.
    • It extracts the first five digits of this modified version number to facilitate version comparison.

  4. Version Check:

    • It checks if the extracted version number is less than 22731, which corresponds to versions before 22.7R2.5. - It further filters the results to include only software names that start with "ivanti_secure_access" or contain "pulse_application_launcher."

  5. Output:

    • It lists distinct devices with their software version, name, and vendor that meet the criteria.

The goal of this query is to identify devices that need to be updated to a newer version of Ivanti software to mitigate the risks associated with the identified vulnerabilities. The query specifically targets Ivanti Secure Access Client and Pulse Application Launcher, which are used for VPN access and may require updates to ensure security.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 15, 2025

Tables

DeviceTvmSoftwareInventory

Keywords

IvantiDevicesSoftwareInventory

Operators

wherehasextendreplace_stringtointsubstringstartswithdistinct

Actions