Ivanti warns of critical zero-day exploit in Connect Secure appliances

Under active exploitation

The cybersecurity world is once again grappling with a critical vulnerability affecting Ivanti appliances.

Two new flaws have been found, one of which (CVE-2025-0282) was actively exploited in the wild as a zero-day.

CVE-2025-0282 is a stack-based buffer overflow flaw that enables unauthenticated remote code execution. It carries a severity rating of 9.0 and impacts the following Ivanti products:

Ivanti confirmed the zero-day attacks after its Integrity Checker Tool (ICT) detected suspicious activity on customers' appliances. An investigation determined that threat actors were exploiting CVE-2025-0282 specifically on Connect Secure appliances.

"We are aware of a limited number of customers' Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure," Ivanti wrote.

The company added that there is no evidence of this vulnerability being exploited in Ivanti Policy Secure or Neurons for ZTA Gateways to date.

Ivanti has also addressed a second flaw in its latest security updates. This vulnerability, indexed as CVE-2025-0283, is also a stack-based buffer overflow flaw. It grants privilege escalation to locally authenticated attackers. However, it is not currently known to be exploited in the wild.

Ivanti has released an urgent patch for Connect Secure appliances, resolving the issues in firmware version 22.7R2.5. Users are advised to upgrade to version 22.7R2.5 or later, and perform a factory reset of the appliance.

However, updates for Policy Secure and ZTA Gateways are not expected until 21st January.

For Policy Secure, Ivanti advises that this appliance should never be exposed to the web and is not believed to be a primary target of the current exploits.

For ZTA Gateways, Ivanti says exploits are not possible while the gateway is in production. However, if a gateway is generated and left unconnected to a ZTA controller, it remains vulnerable.

The company has enlisted the help of Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks further.

Mandiant observed attacks using payloads from the Spawn malware ecosystem, previously linked to the China-nexus group UNC5221. Other novel malware families, Dryhook and Phasejam, were also identified.

In a blog post, Mandiant said: "Following the Jan. 10, 2024, disclosure of CVE-2023-46805 and CVE-2024-21887, Mandiant observed widespread exploitation by UNC5221 targeting Ivanti Connect Secure appliances across a wide range of countries and verticals.

"Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access.

“Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances."

The latest flurry of security concerns comes on the heels of multiple issues Ivanti has addressed in recent months.

In December, the company issued a critical security advisory warning customers of three critical vulnerabilities in its Cloud Services Application (CSA).

In October, Fortinet said a sophisticated cyberattack, believed to be orchestrated by a nation-state adversary, was exploiting critical vulnerabilities in Ivanti's CSA to gain unauthorised access to sensitive systems.

The attackers leveraged three vulnerabilities – CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 – to compromise the CSA and execute a series of malicious activities.

In addition to these vulnerabilities targeting the CSA, the attackers also exploited CVE-2024-29824, a vulnerability in Ivanti Endpoint Manager (EPM).