About the Vulnerability

On January 8, Ivanti disclosed two critical vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for Zero Trust Access (ZTA) gateway devices. These flaws include:

• CVE-2025-0282: A stack-based buffer overflow vulnerability with a CVSSv3 score of 9.0. This allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices.
• CVE-2025-0283: Another stack-based buffer overflow vulnerability with a CVSSv3 score of 7.0. This flaw allows local authenticated attackers to elevate their privileges.

Ivanti has confirmed that CVE-2025-0282 has been exploited in the wild, targeting Connect Secure devices among a limited number of customers. This marks a critical threat for organizations relying on these devices for secure remote access.

>>Discover your exposure now.

The Impact of the Vulnerability

The exploitation of CVE-2025-0282 enables attackers to gain remote code execution without requiring authentication. This poses a significant risk to:

• Sensitive Data: Attackers can exfiltrate or manipulate confidential data.
• System Integrity: Compromised systems can serve as entry points for broader attacks.
• Business Continuity: Downtime and disruptions caused by attacks can severely impact operations.

While CVE-2025-0283 hasn’t been exploited in the wild, its potential for privilege escalation emphasizes the importance of addressing both vulnerabilities promptly.

Historical Exploitation of Ivanti Products

Ivanti Connect Secure, previously known as Pulse Connect Secure, has been a frequent target for attackers:

• 2019: CVE-2019-11510 (Arbitrary File Read Vulnerability) and CVE-2019-11539 (Command Injection).
• 2020: Multiple code injection vulnerabilities, including CVE-2020-8218 and CVE-2020-8260.
• 2021: Authentication bypass and buffer overflow vulnerabilities, such as CVE-2021-22893.
• 2023-2024: Recent vulnerabilities, including CVE-2024-21887 and CVE-2024-21893, highlight a consistent trend of exploitation.

The historical targeting of these devices by advanced persistent threat (APT) groups, ransomware operators, and cybercriminals underscores the critical need for proactive defense strategies.

Mitigation and Recommendations

Patching

Ivanti has released patches to address the vulnerabilities:

Organizations should apply these patches immediately to protect their environments.

Additional Recommendations

1. Integrity Checking: Use Ivanti’s Integrity Checker Tool (ICT) to detect potential exploitation of CVE-2025-0282.
2. Factory Reset: Ivanti recommends performing a factory reset of devices before upgrading to version 22.7R2.5 to ensure malware removal.
3. Access Controls: Restrict access to management interfaces and enforce least privilege.
4. Monitoring: Deploy tools to monitor unusual activity or signs of compromise.

Ongoing Investigation

Mandiant’s preliminary findings on CVE-2025-0282 exploitation highlight several malware samples, including:

• SPAWN Ecosystem: Variants such as SPAWNANT and SPAWNMOLE.
• New Malware: DRYHOOK (credential harvester) and PHASEJAM (dropper).

These discoveries indicate sophisticated attack techniques, though no specific APT group has been linked yet.

Discover Your Exposure

Identifying exposure to these vulnerabilities is critical. The FireCompass Platform can rapidly assess your attack surface, helping you find and mitigate risks related to Ivanti zero-day vulnerabilities. Discover your exposure now.

>>Join the CISO Platform Cybersecurity Community for Community Updates: Sign up here.

Conclusion

CVE-2025-0282 and CVE-2025-0283 are reminders of the evolving threat landscape targeting enterprise systems. Proactive patching, rigorous monitoring, and community collaboration are essential to maintaining a secure environment. Stay informed, stay vigilant, and leverage available tools to protect your organization from emerging risks.