Palo Alto Networks has issued a detailed threat briefing on two critical vulnerabilities in Ivanti products—CVE-2025-0282 and CVE-2025-0283. The vulnerabilities affect Ivanti’s Connect Secure, Policy Secure, and ZTA gateway appliances, widely used to enable remote network connections.
CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Policy Secure before version 22.7R1.2, and ZTA gateways before version 22.7R2.3. It allows unauthenticated attackers to achieve remote code execution (RCE) by sending a specially crafted request to vulnerable appliances. This vulnerability has been rated critical, with a CVSS score of 9.0.
Meanwhile, CVE-2025-0283, also a stack-based buffer overflow, enables local authenticated attackers to escalate their privileges on affected devices. Though rated as high severity with a CVSS score of 7.0, no active exploitation of this vulnerability has been observed to date.
Exploitation of CVE-2025-0282 has been documented by multiple cybersecurity organizations, including Mandiant, Watchtowr Labs, and Palo Alto Networks. Attackers have been observed using this zero-day flaw to infiltrate internal networks. Palo Alto Networks detailed, “Our telemetry reveals a threat actor potentially exploited the CVE-2025-0282 zero-day, pre-authentication remote code execution vulnerability in a public-facing Ivanti Connect Secure (ICS) VPN appliance in late December 2024.”
The activity cluster, tracked as CL-UNK-0979, involves a four-phase attack:
- Initial Access: Attackers gain entry by exploiting CVE-2025-0282 on exposed Ivanti appliances.
- Credential Harvesting & Lateral Movement: A custom Perl script named ldap.pl is used to collect credentials, which are later used for RDP-based lateral movement within the victim’s network.
- Defense Evasion: Log files are systematically deleted, and directories such as /var/cores on compromised appliances are cleared to hinder forensic investigation.
- Persistence: Backdoors like SPAWNSNAIL and custom malware tools establish persistent access to targeted systems.
Attack Tools and Techniques
- Custom Perl Script: The script ldap.pl was used to extract and decrypt credentials from Ivanti appliances.
- Memory Dumping Tool: A tool named package.dll, leveraging Visual Studio’s MSBuild.exe, was used to harvest LSASS memory for credentials.
- DLL Side-Loading: Malicious DLLs like deelevator64.dll and vixDiskLib.dll enabled attackers to sideload backdoors into the system.
Attackers used multiple Command and Control (C2) servers, including:
- 168.100.8[.]144
- 193.149.180[.]128
File artifacts such as vixDiskLib.dll and deelevator64.dll were linked to lateral movement and persistence.
Ivanti has released patches for these vulnerabilities and recommends immediate updates to all affected systems. Their advisory highlights the criticality of applying the patches, particularly for Connect Secure appliances, which have been the primary target. Ivanti also encourages using their Integrity Checker Tool (ICT) to monitor for suspicious activities.
Related Posts:
- PoC Exploit Released for Ivanti Connect Secure Flaw CVE-2025-0282 Used in Attacks
- Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
- CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
- Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
- Palo Alto Networks Raises Alarm on Firewall Vulnerability Following Active Exploitation
