Summary:
Ivanti has issued an urgent warning about a critical zero-day vulnerability, CVE-2025-0282, which attackers exploited to install malware on Ivanti Connect Secure appliances. This vulnerability, rated 9.0 in severity, is a stack-based buffer overflow allowing unauthenticated remote code execution on devices running Ivanti Connect Secure versions before 22.7R2.5, Policy Secure versions before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. While the vulnerability affects all three products, exploitation has been observed only on Connect Secure appliances. Ivanti identified the issue using its Integrity Checker Tool, which detected malicious activity. After confirming active exploitation, Ivanti released a security patch for Connect Secure in firmware version 22.7R2.5, with patches for Policy Secure and Neurons for ZTA gateways scheduled for release on January 21, 2025.


Security Officer Comments:
Ivanti noted that Policy Secure and ZTA gateways are less likely to be exploited due to their configurations. Policy Secure appliances are typically not internet-facing, which reduces the risk, and ZTA gateways cannot be exploited in production environments unless left unconnected to a ZTA controller. Administrators are advised to ensure these systems are configured securely and apply patches when available.


Suggested Corrections:
Alongside CVE-2025-0282, Ivanti has also patched CVE-2025-0283, a vulnerability allowing authenticated local attackers to escalate privileges. While this flaw has not been exploited in the wild, its resolution underscores the importance of keeping systems updated. Ivanti is collaborating with Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks further and anticipates releasing detailed reports on the malware soon.

To address potential compromises on Connect Secure appliances, Ivanti recommends running ICT scans. If no malicious activity is detected, a factory reset should be performed before upgrading to version 22.7R2.5. For compromised systems, the reset will remove malware before redeployment.


Link(s):
https://www.bleepingcomputer.com/ne...connect-secure-flaw-used-in-zero-day-attacks/

https://www.ivanti.com/blog/securit...re-policy-secure-and-neurons-for-zta-gateways