On January 8, 2025, Ivanti disclosed an actively exploited zero-day vulnerability, tracked as CVE-2025-0282, affecting its Connect Secure appliances. This critical stack-based buffer overflow vulnerability, rated 9.0 on the CVSS scale, allows unauthenticated attackers to remotely execute code on vulnerable devices.
According to Shadowserver, a security threat monitoring platform, 2,048 potentially vulnerable instances were detected globally as of January 9, 2025. While the flaw impacts multiple Ivanti products, including Policy Secure and Neurons for ZTA gateways, Ivanti has confirmed that exploitation has so far been limited to Connect Secure appliances.
A security advisory by Ivanti stated, “We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure.” The vulnerability, however, poses a significant risk of network compromise.
According to Mandiant, exploitation of the vulnerability began in mid-December 2024. Threat actors have used CVE-2025-0282 to deploy malware on compromised appliances, potentially granting attackers complete control over affected networks. The vulnerability was detected using Ivanti’s Integrity Checker Tool (ICT), which identified malicious activity during routine scans.
The vulnerability affects the following Ivanti products:
- Ivanti Connect Secure versions before 22.7R2.5
- Ivanti Policy Secure versions before 22.7R1.2
- Ivanti Neurons for ZTA gateways versions before 22.7R2.3
This stack-based buffer overflow allows attackers to send specially crafted packets, leading to unauthenticated remote code execution. The flaw is especially dangerous due to its ability to compromise devices without user interaction.
Today, security researcher Sina Kheirkhah from watchTowr published technical details of the flaw, highlighting its exploitation mechanics and potential impact.
Ivanti released a patch for Connect Secure appliances in firmware version 22.7R2.5. However, patches for Policy Secure and Neurons for ZTA Gateways are delayed until January 21, 2025. Ivanti recommends the following immediate actions for administrators:
- Perform ICT Scans: Both internal and external scans should be conducted.
- Factory Reset: If scans show no compromise, perform a reset before upgrading to 22.7R2.5. If a compromise is detected, a reset will remove malware before the upgrade.
- Upgrade to 22.7R2.5: Ensure all Connect Secure appliances are updated to the latest patched firmware.
Related Posts:
- CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
- Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
- Zero-Day Alert: UNC5337 Exploits Ivanti VPN Vulnerability CVE-2025-0282 for Espionage Operations
- Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
