UK domain registry Nominet confirms breach via Ivanti zero-day
Nominet, the official .UK domain registry and one of the largest country code registries, has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability.
The company manages and operates over 11 million .uk, .co.uk, and .gov .uk domain names and other top-level domains, including .cymru and .wales.
It also runs the UK's Protective Domain Name Service (PDNS) on behalf of the country's National Cyber Security Centre (NCSC), protecting more than 1,200 organizations and over 7 million end users.
Nominet is still investigating the incident but has not found evidence of any backdoors deployed on its systems, as first report by ISPreview.
Since it detected suspicious activity on its network, the company has reported the attack to relevant authorities, including the NCSC, and restricted access to its systems via VPN connections.
"The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely," Nominet says in a customer notice shared with BleepingComputer.
"However, we currently have no evidence of data breach or leakage. We already operate restricted access protocols and firewalls to protect our registry systems. Domain registration and management systems continue to operate as normal."
Attacks linked to suspected Chinese hackers
While the company didn't share more information on the VPN zero-day used in the attack, Ivanti said last week that hackers have been exploiting a critical Ivanti Connect Secure zero-day vulnerability (tracked as CVE-2025-0282) to breach a limited number of customers' appliances.
According to cybersecurity company Mandiant (part of Google Cloud), the attackers started leveraging this vulnerability in mid-December, using the custom Spawn malware toolkit (linked to a suspected China-linked espionage group tracked as UNC5337).
They've also deployed new Dryhook and Phasejam malware (not currently associated with a threat group) on compromised VPN appliances.
Macnica researcher Yutaka Sejiyama told BleepingComputer that over 3,600 ICS appliances were exposed online when Ivanti released a patch for the zero-day on Wednesday.
In October, Ivanti released more security updates to fix three other Cloud Services Appliance (CSA) zero-days that were also actively exploited in attacks.
Telefonica Breach Exposes Jira Tickets, Customer Data
Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
