Ivanti warns of new Connect Secure flaw used in zero-day attacks
Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances.
The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers' appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day.
CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allow a unauthenticated attacker to remotely execute code on devices.
While the flaw impacts all three products, Ivanti says they have only seen it exploited on Ivanti Connect Secure appliances.
"We are aware of a limited number of customers' Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure," reads an Ivanti blog post.
"We are not aware of these CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways."
Ivanti has rushed out security patches for Ivanti Connect Secure, which are resolved in firmware version 22.7R2.5.
However, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will not be ready until January 21, according to a security bulletin published today.
Ivanti Policy Secure: This solution is not intended to be internet facing, which makes the risk of exploitation significantly lower. The fix for Ivanti Policy Secure is planned for release on January 21, 2025, and will be available in the standard download portal. Customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet. We are not aware of these CVEs being exploited in Ivanti Policy Secure.
Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. The fix is planned for release on January 21, 2025. We are not aware of these CVEs being exploited in ZTA Gateways.
The company recommends all Ivanti Connect Secure admins perform internal and external ICT scans.
If the scans come up clean, Ivanti still recommends admins perform a factory reset before upgrading to Ivanti Connect Secure 22.7R2.5.
However, if the scans show signs of a compromise, Ivanti says a factory reset should remove any installed malware. The appliance should then be put back into production using version 22.7R2.5
Today's security updates also fix a second vulnerability tracked as CVE-2025-0283, which Ivanti says is not currently being exploited or chained with CVE-2025-0282. This flaw allows an authenticated local attacker to escalate their privileges.
As Ivanti is working with Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks, we will likely see reports about the detected malware shortly.
BleepingComputer contacted Ivanti with further questions about the attacks and will update this story if we receive a response.
In October, Ivanti released security updates to fix three Cloud Services Appliance (CSA) zero-days that were actively exploited in attacks.
SonicWall urges admins to patch exploitable SSLVPN bug immediately
Unpatched critical flaws impact Fancy Product Designer WordPress plugin
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner