Ivanti VPN Zero-Day Vulnerability Actively Exploited in the Wild

Ivanti has disclosed actively exploiting a critical zero-day vulnerability, CVE-2025-0282, in its Connect Secure VPN appliances.

This vulnerability allows unauthenticated remote code execution and has already been exploited in a limited number of cases.

A second vulnerability, CVE-2025-0283, which enables local privilege escalation, has also been identified but is not known to have been exploited.

• CVE-2025-0282: A stack-based buffer overflow rated as critical (CVSS score 9.0). It affects Ivanti Connect Secure (ICS) versions prior to 22.7R2.5, Ivanti Policy Secure (IPS) versions prior to 22.7R1.2, and Ivanti Neurons for ZTA gateways versions prior to 22.7R2.3. Exploitation enables remote attackers to execute arbitrary code without authentication.
• CVE-2025-0283: Another stack-based buffer overflow rated as high severity (CVSS score 7.0). It affects the same products and allows local authenticated users to escalate their privileges.

Active Exploitation

Ivanti revealed that CVE-2025-0282 has been exploited in a limited number of Ivanti Connect Secure appliances. The exploitation was detected using Ivanti’s Integrity Checker Tool (ICT), which flagged malicious activity on affected systems.

However, no evidence suggests exploitation of this vulnerability in Ivanti Policy Secure or ZTA gateways.

The second vulnerability, CVE-2025-0283, was discovered during internal investigations but has not been exploited in the wild as of the disclosure date.

Ivanti has released an emergency patch for Connect Secure devices, resolving both vulnerabilities in version 22.7R2.5. Patches for Policy Secure and Neurons for ZTA gateways are scheduled for release on January 21, 2025.

For affected customers:

• Connect Secure: Upgrade to version 22.7R2.5 immediately. If ICT scans show signs of compromise, perform a factory reset before applying the patch.
• Policy Secure and ZTA Gateways: While these products have not been exploited yet, customers are advised to follow best practices by ensuring they are not exposed to the internet and await the January 21 patch.

Mandiant observed that the exploitation of CVE-2025-0282 was linked to a sophisticated threat actor cluster known as UNC5337, which is believed to be part of UNC5221.

The attackers deployed malware from the SPAWN ecosystem, including tools like SPAWNANT (installer), SPAWNMOLE (tunneler), and SPAWNSNAIL (SSH backdoor). These activities highlight the growing risks posed by advanced persistent threats targeting enterprise VPNs.

To help customers identify potential compromises, Ivanti recommends the use of its Integrity Checker Tool (ICT), both internally and externally. The ICT provides a snapshot of the current state of an appliance by analyzing file integrity and detecting unauthorized changes.

Ivanti has also released examples of how ICT scan results should appear on compromised versus uncompromised devices, emphasizing the importance of analyzing the number of steps reported by the output.

However, cybersecurity firm Mandiant has observed attempts by threat actors to evade detection by ICT. These efforts include returning compromised appliances to a clean state, recalculating hashes, and other anti-forensic techniques.

Ivanti has acknowledged that ICT has limitations, as it cannot detect past malicious activity if attackers have removed evidence or restored the system to an unaltered state. Additionally, ICT does not scan for malware or other Indicators of Compromise (IoCs).

IoCs

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

The post Ivanti VPN Zero-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.