watchTowr Labs published a detailed analysis of the vulnerability and a proof-of-concept (PoC) exploit for CVE-2025-0282, a critical zero-day vulnerability in Ivanti Connect Secure with active exploitation by attackers who are leveraging the flaw to install malware on vulnerable devices. Rated at a high severity level of CVSS 9.0, this stack-based buffer overflow vulnerability poses a significant risk by enabling unauthenticated attackers to remotely execute code on affected systems.
CVE-2025-0282 affects several Ivanti products, including:
- Ivanti Connect Secure (prior to version 22.7R2.5)
- Ivanti Policy Secure (prior to version 22.7R1.2)
- Ivanti Neurons for ZTA Gateways (prior to version 22.7R2.3)
The vulnerability arises from a stack-based buffer overflow in code designed to handle IF-T connections. If successfully exploited, it allows attackers to execute arbitrary shell commands, granting full control over compromised devices.
Ivanti reported discovering the active exploitation of this flaw after its Ivanti Integrity Checker Tool (ICT) flagged suspicious activity on customer appliances. Following an internal investigation, the company confirmed that CVE-2025-0282 was being exploited as a zero-day vulnerability.
“The root cause of CVE-2025-0282 – a stack-based buffer overflow in code designed to handle IF-T connections,” explained WatchTowr Labs, which conducted a detailed analysis of the vulnerability. Within a week of Ivanti’s patch release, the WatchTowr Labs published a PoC exploit capable of executing shell commands on unpatched devices. Stephen Fewer’s Ruby-based PoC further underscored the vulnerability’s severity and potential ease of exploitation for threat actors.
In response to the escalating threat, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies in the United States have been ordered to secure affected devices by January 15th.
Organizations using Ivanti Connect Secure, Policy Secure, or Neurons for ZTA gateways are strongly urged to apply the available patches immediately.
Related Posts:
- Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
- CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
- Zero-Day Alert: UNC5337 Exploits Ivanti VPN Vulnerability CVE-2025-0282 for Espionage Operations
- Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
- Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
