A critical security vulnerability, CVE-2025-0282, has been identified and exploited in the wild, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways.
This stack-based buffer overflow vulnerability, rated with a CVSS score of 9.0, allows unauthenticated attackers to execute arbitrary code remotely.
The flaw impacts versions of Ivanti Connect Secure prior to 22.7R2.5, Policy Secure prior to 22.7R1.2, and Neurons for ZTA gateways prior to 22.7R2.3.
Ivanti disclosed the vulnerability on January 8, 2025, following reports of active exploitation beginning in mid-December 2024. The company’s Integrity Checker Tool (ICT) detected malicious activity on customer appliances, leading to the identification of CVE-2025-0282.
Affected systems are vulnerable to remote code execution (RCE), enabling attackers to potentially compromise entire networks.
The vulnerability stems from improper handling of the clientCapabilities parameter in the /home/bin/web binary of Ivanti Connect Secure appliances.
Developers used the strncpy function but mistakenly passed the size of the input string instead of the destination buffer size, allowing attackers to overwrite memory and execute malicious code, reads Watchtowr analysis.
33,542 Ivanti Connect Secure Instances Exposed
Cybersecurity firm Censys reported that 33,542 Ivanti Connect Secure instances are exposed globally, with significant concentrations in the United States and Japan.
However, not all exposed systems may be vulnerable due to varying software versions. Policy Secure and Neurons for ZTA gateways are less visible as they are not typically internet-facing.
Security investigations by Mandiant and Microsoft Threat Intelligence Center revealed that exploitation campaigns have deployed sophisticated malware families such as Spawn, Dryhook, and Phasejam. Some attacks have been attributed to China-linked threat actors like UNC5337.
Attackers have been observed disabling security features like SELinux on compromised devices and deploying web shells for persistence.
While active exploitation has been confirmed for Ivanti Connect Secure appliances, there is no evidence yet of attacks targeting Policy Secure or Neurons for ZTA gateways.
Ivanti has released a patch for Connect Secure (version 22.7R2.5) but announced that fixes for Policy Secure and Neurons for ZTA gateways will be available by January 21, 2025. Administrators are strongly advised to update affected systems immediately and perform factory resets where necessary to ensure malware removal.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog and urged organizations to conduct threat hunting and apply patches without delay. Ivanti’s advisory recommends using ICT scans to detect signs of compromise.
Security researchers have published a detailed walkthrough of the exploitation process. It outlines how attackers leverage oversized clientCapabilities blocks to trigger buffer overflows and achieve RCE. This analysis highlights critical coding errors that led to the vulnerability.
Organizations using Ivanti products must act swiftly to secure their systems against this critical threat. The widespread exposure of vulnerable instances underscores the urgency for robust patch management and proactive monitoring.
As cybersecurity experts warn of potential opportunistic exploitation by additional threat actors, applying updates and adhering to best practices is imperative to mitigate risks associated with CVE-2025-0282.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free