Introduction

The UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent advisory for Ivanti customers to address two critical vulnerabilities in Ivanti Connect Secure (ICS) [4], Policy Secure [1] [2] [3] [4] [5] [6] [7] [9] [10] [11], and ZTA gateways [3] [4] [5] [6] [7] [9] [10] [11]. These vulnerabilities, disclosed by Ivanti on January 8, 2025, pose significant security risks and require immediate action.

Description

CVE-2025-0282 is a critical stack-based buffer overflow vulnerability with a CVSS score of 9.0 [5]. It enables unauthenticated remote attackers to execute arbitrary code on vulnerable devices. This vulnerability affects Ivanti Connect Secure versions prior to 22.7R2.5 [1], Ivanti Policy Secure prior to 22.7R1.2 [3] [4] [7] [11], and Ivanti Neurons for ZTA gateways prior to 22.7R2.3 [1] [3] [4] [7] [11]. Ivanti has reported that since mid-December 2024, a limited number of Ivanti Connect Secure appliances have been exploited [1] [3] [7], particularly by cyber threat groups, including one suspected to be linked to China. Researchers from Google Mandiant have identified various malware samples associated with these attacks [9], including the SPAWN ecosystem and new malware families such as DRYHOOK and PHASEJAM, which are not yet linked to known groups [8]. Due to evidence of active exploitation [6], CVE-2025-0282 has been included in CISA’s Known Exploited Vulnerabilities Catalog [11]. Organizations are urged to monitor for malicious activity and report any findings to CISA [6]. Further guidance can be found in CISA’s BOD 22-01 [11].

CVE-2025-0283 is another stack-based buffer overflow vulnerability [2] [3] [5] [7] [8] [9] [11], rated high severity with a CVSS score of 7.0 [5]. It allows local authenticated attackers to escalate privileges on affected devices [2] [4] [7] [9]. This vulnerability impacts the same versions of the affected products and was discovered during the investigation of CVE-2025-0282. However, no exploitation of CVE-2025-0283 has been reported at the time of disclosure [4].

Patches are available for CVE-2025-0282 for Ivanti Connect Secure [2] [4], while patches for CVE-2025-0283 are expected for Ivanti Policy Secure and Neurons for ZTA by January 21, 2025 [2]. Ivanti advises customers to upgrade to version 22.7R2.5 of Connect Secure immediately and to run Ivanti’s updated Integrity Checker Tool (ICT) to detect exploitation of CVE-2025-0282. A factory reset is recommended for appliances that pass a clean ICT scan before deploying the new version [5]. For Policy Secure [1] [2] [3] [4] [5] [6] [7] [9] [10] [11], it is crucial to ensure appliances are not exposed to the internet to mitigate exploitation risks [1]. Organizations should apply the relevant patches, ensure proper configuration of Ivanti Policy Secure appliances [4], and continuously monitor authentication or identity management services [6]. If a compromise is confirmed [6], immediate reporting to CISA and Ivanti is necessary to initiate forensic investigations [6]. Affected systems should be disconnected from enterprise resources [6], and any exposed certificates [6], keys [6], and passwords must be revoked and reissued [6]. In cases where domain accounts associated with the affected products are compromised [6], passwords should be reset [6], Kerberos tickets revoked [6], and tokens for cloud accounts disabled [6]. After thorough investigation [6], systems should be fully patched and restored before being returned to service [6].

The NCSC is investigating cases of active exploitation affecting UK networks [4]. Ivanti has been collaborating with affected customers [3] [5] [8], external security partners [3] [5], and law enforcement in response to these vulnerabilities and continues to monitor the situation closely [5].

Conclusion

The vulnerabilities in Ivanti’s products present significant security challenges, with active exploitation already occurring. Immediate patching and adherence to recommended security measures are crucial to mitigate risks. Organizations must remain vigilant, monitor for malicious activities [6], and report any incidents to the appropriate authorities. The ongoing collaboration between Ivanti, security partners [3] [4] [5] [6], and law enforcement underscores the importance of a coordinated response to cyber threats. Future vigilance and timely updates will be essential in safeguarding against similar vulnerabilities.

References

[1] https://securityonline.info/cve-2025-0282-cvss-9-0-ivanti-confirms-active-exploitation-of-critical-flaw/
[2] https://www.rapid7.com/blog/post/2025/01/08/etr-cve-2025-0282-ivanti-connect-secure-zero-day-exploited-in-the-wild/
[3] https://www.techtarget.com/searchSecurity/news/366617819/Critical-Ivanti-Connect-Secure-zero-day-flaw-under-attack
[4] https://www.infosecurity-magazine.com/news/critical-ivanti-zeroday-exploited/
[5] https://www.csoonline.com/article/3652369/ivanti-warns-critical-rce-flaw-in-connect-secure-exploited-as-zero-day.html
[6] https://www.cisa.gov/news-events/alerts/2025/01/08/ivanti-releases-security-updates-connect-secure-policy-secure-and-zta-gateways
[7] https://digital.nhs.uk/cyber-alerts/2025/cc-4602
[8] https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
[9] https://www.tenable.com/blog/cve-2025-0282-ivanti-connect-secure-zero-day-vulnerability-exploited-in-the-wild
[10] https://techcrunch.com/2025/01/09/hackers-are-exploiting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks/
[11] https://nvd.nist.gov/vuln/detail/CVE-2025-0282