Ivanti Warns of Critical Connect Secure Vulnerability Exploited in Zero-Day Attacks

Summary:
Ivanti has issued an urgent warning regarding a critical remote code execution vulnerability, CVE-2025-0282, that is being actively exploited in zero-day attacks targeting Ivanti Connect Secure appliances. This flaw, rated 9.0 in severity, affects versions of Ivanti Connect Secure prior to 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA gateways prior to 22.7R2.3.

Threat actors have used this vulnerability to install malware on affected devices, with Ivanti confirming that Connect Secure appliances are the primary targets. While Ivanti Policy Secure and Neurons for ZTA gateways are also vulnerable, no exploitation has been observed on those platforms.

Details of the Vulnerability:

  • CVE-2025-0282: A stack-based buffer overflow that allows unauthenticated remote code execution.
  • Affected Products:
    • Ivanti Connect Secure (pre-22.7R2.5)
    • Ivanti Policy Secure (pre-22.7R1.2)
    • Ivanti Neurons for ZTA (pre-22.7R2.3)
  • Exploitation Status: Actively exploited on Connect Secure appliances.

Patches and Suggested Corrections:

  • Ivanti Connect Secure: Patched in firmware version 22.7R2.5 (available immediately).
  • Ivanti Policy Secure and Neurons for ZTA: Patches scheduled for January 21, 2025.
    • Policy Secure Risk: Lower because the solution is not intended to be internet-facing.
    • ZTA Risk: Exploitation only possible if a gateway is generated but left unconnected to the ZTA controller.

Recommendations:

  • Immediate Action for Connect Secure Admins:
    • Conduct internal and external ICT (Integrity Checker Tool) scans.
    • If scans are clean, perform a factory reset before upgrading to 22.7R2.5.
    • If malware is detected, perform a factory reset to remove it and upgrade to the patched firmware.
  • Policy Secure Admins: Ensure appliances are not exposed to the internet and apply patches when available.
  • ZTA Admins: Avoid leaving unconnected gateways in production until patches are available.

Additional Vulnerability:

  • CVE-2025-0283: A second vulnerability allowing local privilege escalation has been patched but is not known to be actively exploited.

Ongoing Investigation:
Ivanti is collaborating with Mandiant and Microsoft Threat Intelligence Center to investigate these attacks further. Reports on malware associated with this incident are expected soon.

Context and Previous Incidents:
This follows a series of zero-day exploits targeting Ivanti products, including an October 2024 attack on Cloud Services Appliances (CSA). These incidents highlight the ongoing threat to Ivanti’s products and the need for immediate patching and proactive security measures.

Sources:
https://www.bleepingcomputer.com/ne...connect-secure-flaw-used-in-zero-day-attacks/
https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info

Form Temporarily Disabled
Please Call 716 871-7040 for Service


Current Active Cyber Threats