Researchers in a frenzy due to newly discovered Ivanti vulnerability
A critical zero-day vulnerability, identified as CVE-2025-0282, has been discovered in Ivanti Connect Secure VPN appliances, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. This vulnerability, a stack-based buffer overflow, allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices, potentially enabling remote code execution (RCE) without requiring authentication.
Current Status
Active exploitation of CVE-2025-0282 has been observed, primarily targeting Ivanti Connect Secure appliances. At disclosure, exploitation was limited but ongoing on these devices. No confirmed active exploitation has been reported for Ivanti Policy Secure or Ivanti Neurons for ZTA gateways, although risks exist depending on deployment configurations.
Researchers have detected several malware samples on systems compromised via this vulnerability, including credential harvesters like DRYHOOK and droppers such as PHASEJAM. Public proof-of-concept (PoC) exploits have also appeared, increasing the risk of widespread abuse by threat actors.
Potential Impact
Since the vulnerability enables unauthenticated remote code execution, attackers can fully compromise affected systems remotely, potentially taking control of critical network access points. When combined with a related vulnerability (CVE-2025-0283), attackers can escalate privileges on the system, gaining higher-level control. Ivanti Connect Secure appliances, typically internet-facing, are at the highest risk, while policy and ZTA gateways have lower exposure but remain vulnerable if improperly configured.
While no advanced persistent threat (APT) group has been conclusively linked so far, ransomware groups like Black Basta have exploited a wide range of vulnerabilities including those in Ivanti products, suggesting exploitation by criminal groups is possible.
Recommended Actions
Ivanti has released fixes in specified versions for all affected products. Updating affected products to the latest patched versions is strongly recommended to mitigate exploitation. Given the exploit targets network gateways, administrators should restrict internet-facing access to Ivanti appliances wherever possible. Deploy monitoring tools to detect signs of exploitation, including malware linked to CVE-2025-0282, and apply defensive measures accordingly.
In summary, CVE-2025-0282 represents a severe security risk with confirmed active exploitation facilitating remote control of critical Ivanti network gateways. Immediate patching and vigilance are essential to prevent compromise and potential further attacks stemming from this vulnerability.
[1] Mandiant - https://www.mandiant.com/resources/threat-intelligence-center/alerts/active-exploitation-of-ivanti-connect-secure-cve-2025-0282 [2] Shadowserver - https://www.shadowserver.org/alerts/ivanti-connect-secure-cve-2025-0282-buffer-overflow-vulnerability/ [3] Cybersecurity and Infrastructure Security Agency - https://www.cisa.gov/uscert/ncas/alerts/aa25-327a [4] Ivanti - https://www.ivanti.com/resources/security-advisories/ivanti-security-advisory-ivanti-connect-secure-cve-2025-0282-stack-based-buffer-overflow-vulnerability
- The discovered vulnerability, CVE-2025-0282, is currently being actively exploited, primarily targeting Ivanti Connect Secure appliances, posing a significant threat intelligence concern.
- As the vulnerability permits unauthenticated remote code execution, it could potentially jeopardize the privacy and cybersecurity of data-and-cloud-computing systems, making incident response crucial.
- With the emergence of public proof-of-concept exploits and malware samples like DRYHOOK and PHASEJAM, it's essential to strengthen technology defenses by updating affected Ivanti products and deploying monitoring tools to detect signs of exploitation.
- Given the potential impact, including the possibility of ransomware attacks, it's recommended to update Ivanti products, restrict internet-facing access, and implement defensive measures to combat the threat posed by CVE-2025-0282.
