- Vulnerable U
- Posts
- Ivanti Warns of Connect Secure Zero-Day Attacks
Ivanti Warns of Connect Secure Zero-Day Attacks
Threat actors are exploiting a vulnerability in Ivanti Connect Secure appliances.
Update - Ivanti is warning of an exploited flaw in its Connect Secure VPN appliances, which could lead to unauthenticated remote code execution. The vulnerability (CVE-2025-0282) is one of two vulnerabilities disclosed on Wednesday by the company impacting its Connect Secure, Policy Secure and ZTA Gateway products.
“We are aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure,” according to Ivanti in a security advisory. “We are not aware of these CVEs being exploited in Ivanti Policy Secure or ZTA gateways.”
Mandiant researchers on Wednesday also published a post detailing the exploitation attacks, saying they started in mid-December and are linked to a suspected China-nexus espionage actor.
Key Details:
CVE-2025-0282 is a critical-severity, stack-based buffer overflow vulnerability, while the other flaw (CVE-2025-0283) is a high-severity, stack-based buffer overflow that could allow local and authenticated attackers to escalate their privileges
Patches are currently available for both flaws in Ivanti Connect Secure; however, patches won’t be available until Jan. 21 for both flaws in Ivanti Policy Secure and ZTA gateways
Ivanti said there is no indication of CVE-2025-0283 being exploited or chained in attacks with CVE-2025-0282. Instead, the company noted that “as we were conducting our threat hunting, we also discovered the vulnerability being disclosed as CVE-2025-0283 and included it in the patch as well”
Vendor Response: Ivanti said that customers can check for exploitation of CVE-2025-0282 through its Integrity Checker Tool (ICT), which is designed to operate with the updated Connect Secure version 22.7R2.5. For Ivanti Connect Secure, if the ICT results show signs of compromise, customers should perform a factory reset on the appliance and put the appliance back into production using the most recent updated version.
While patches for Policy Secure and Ivanti Neurons for ZTA gateways aren’t planned until Jan. 21, Ivanti said that it is not aware of the CVEs being exploited in these products. Ivanti Policy Secure is not intended to be internet facing, making the risk of exploitation lower, said the company, while the Ivanti Neurons ZTA gateways can’t be exploited while in production. A full breakdown of the impacted versions of each product is available on Ivanti’s security advisory.
The Big Picture: Ivanti has previously had security issues in its products, which is an problem in particular because internet-accessible systems like VPN appliances have become a favorite for threat actors. In 2024, Ivanti Connect Secure and Policy Secure were also at the center of attacks that exploited flaws in the products to install malware webshells and other malicious tools. Exploitation of the vulnerabilities eventually enabled threat actors to breach the systems of the Cybersecurity and Infrastructure Security Agency (CISA) in March 2024.
What’s Next: Mandiant and Microsoft researchers were credited with helping in the response to the threat, so we may learn more details about the flaws and related attacks in the coming weeks. In the meantime, customers should immediately visit Ivanti’s security advisory for further information about how to download updates.
This article was updated on Jan. 9 at 9am to reflect new information from Mandiant about the exploitation activity.