A critical security vulnerability in Ivanti Connect Secure VPN appliances has left 2,048 instances worldwide exposed to potential exploitation, with the United States hosting the highest number of vulnerable systems.
The vulnerability tracked as CVE-2025-0282, has been actively exploited since mid-December 2024.
The vulnerability is a critical stack-based buffer overflow with a CVSS score of 9.0 that allows unauthenticated remote code execution. It affects multiple Ivanti products, including Connect Secure versions prior to 22.7R2.5, Policy Secure prior to 22.7R1.2, and Neurons for ZTA gateways prior to 22.7R2.3.
Shadowserver observed that 2,048 instances worldwide are vulnerable.
Mandiant’s investigation revealed that threat actors are executing sophisticated attacks using version-specific exploitation techniques. The attack sequence typically involves:
- Initial reconnaissance to identify appliance versions
- Disabling of security features, including SELinux
- Filesystem remounting for write access
- Deployment of web shells for persistence
- Removal of log entries to avoid detection
The exploitation has been linked to UNC5337, a China-nexus threat group, though multiple threat actors appear to be involved.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The attackers have deployed various malware families, including DRYHOOK and PHASEJAM, demonstrating sophisticated capabilities in maintaining persistent access and facilitating data theft.
Mitigation Steps
Ivanti has released emergency patches for Connect Secure (version 22.7R2.5), while updates for Policy Secure and Neurons for ZTA are scheduled for January 21, 2025. The company strongly recommends that organizations:
- Immediately apply available patches
- Monitor systems using the Integrity Checker Tool (ICT)
- Perform both internal and external ICT scans
- Conduct factory resets before upgrading to the latest version
The widespread exploitation of this vulnerability follows a pattern of critical zero-day attacks against Ivanti products, including previous incidents that affected major organizations and government agencies.
With thousands of systems still vulnerable, security experts warn of a potential escalation in exploitation attempts by both nation-state actors and cybercriminal groups.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!