Intruders Install Hidden Access Points within Ivanti Connect Secure Devices
In the realm of cybersecurity, a critical zero-day vulnerability (CVE-2025-0282) has been identified in Ivanti Connect Secure, a popular VPN product. This vulnerability, a stack-based buffer overflow, allows unauthenticated remote attackers to execute arbitrary code on affected devices.
The extent of the vulnerability is significant, with Ivanti Connect Secure versions before 22.7R2.5 being vulnerable. While related products like Ivanti Policy Secure and Ivanti Neurons for ZTA gateways are also affected, they pose a lower risk due to their non-internet-facing nature or specific configurations required for exploitation.
Active exploitation of CVE-2025-0282 has been observed primarily on Ivanti Connect Secure appliances. Malware samples linked to compromised systems have been traced, including credential harvesters and droppers such as DRYHOOK and PHASEJAM. However, no direct link to advanced persistent threat (APT) groups has been established yet.
Several researchers, including Stephen Fewer from Rapid7, have expressed concerns about the active exploitation of this vulnerability. Fewer warns that compromising a VPN appliance can provide an attacker with a gateway into a network and access to user credentials, making it a very serious incident.
Motheram, another security researcher, has suggested that there is increasingly little justification for using Ivanti devices from a security standpoint, given the repeated history of critical security flaws and global incidents tied to Ivanti products.
To mitigate potential damage from this zero-day exploit, organizations using Ivanti Connect Secure are urged to update to version 22.7R2.5 or later as soon as possible. For systems that cannot be immediately patched, it is recommended to restrict exposure of Ivanti Connect Secure appliances to the internet or untrusted networks.
Active monitoring for indicators of compromise (IoCs) related to this vulnerability is also crucial. Organizations should review logs and investigate any suspicious activity tied to remote code execution or privilege escalation attempts on affected devices.
The Cybersecurity and Infrastructure Security Agency has added 12 Ivanti CVEs to its known exploited vulnerabilities catalog since Jan. 1, 2024. As of Friday, Censys found 13,954 Ivanti Connect Secure devices exposed and unpatched, excluding honeypots.
This is not the first time Ivanti products have been targeted by active vulnerabilities. Multiple attack sprees during the last year targeted zero-day vulnerabilities in Ivanti Connect Secure, Ivanti Cloud Service Appliance, and Ivanti Endpoint Manager.
In brief, CVE-2025-0282 is a critical vulnerability under active exploitation in Ivanti Connect Secure products. Organizations must prioritize immediate patching, network exposure reduction, and active monitoring to mitigate potential damage from this zero-day exploit.
- Given the active exploitation of the critical vulnerability (CVE-2025-0282) in Ivanti Connect Secure, it is essential for organizations to update to version 22.7R2.5 or later as soon as possible to safeguard their finance and technology infrastructure from potential attacks.
- The extent of the vulnerability's risk is amplified by the fact that CVE-2025-0282, a stack-based buffer overflow, allows unauthenticated remote attackers to execute arbitrary code on affected devices, potentially leading to network breaches and user credential theft.
