Over 379 Ivanti Connect Secure (ICS) devices were found to be backdoored following the exploitation of a critical zero-day vulnerability, CVE-2025-0282.
The backdoors installed by attackers allow persistent access to the compromised systems, enabling data exfiltration, lateral movement within networks, and potential deployment of ransomware or other malicious payloads.
CVE-2025-0282 is a stack-based buffer overflow vulnerability in the Ivanti Connect Secure platform. The flaw allows attackers to execute arbitrary code on vulnerable devices, potentially gaining full control over affected systems.
The vulnerability has a high CVSS score, reflecting its critical nature and the ease with which it can be exploited remotely without authentication.
Proof-of-concept (PoC) exploit code for this vulnerability was publicly disclosed on January 16, 2025, accelerating its exploitation by threat actors.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Security researchers have noted that this vulnerability is particularly dangerous due to the widespread use of ICS devices in enterprise environments for secure remote access.
Backdoored Devices Discovered
On January 22, 2025, researchers uncovered 379 new instances of backdoored ICS devices. These devices are believed to have been compromised as part of an ongoing campaign exploiting CVE-2025-0282.
However, experts warn that some of these compromises may also stem from older vulnerabilities or other attack vectors.
The exploitation of CVE-2025-0282 involves sending specially crafted packets to vulnerable ICS devices, triggering the buffer overflow and enabling remote code execution.
Attackers have been observed leveraging this flaw to modify legitimate ICS components, effectively disguising their malicious activities.
Mitigation And Response
Ivanti has released patches to address CVE-2025-0282 and urged all users to apply them immediately. However, cybersecurity experts recommend additional measures to ensure security:
- Factory Reset: Treat all ICS devices as compromised if they show signs of unusual activity. A full factory reset followed by reinstallation of firmware is advised.
- Threat Hunting: Conduct thorough threat hunts for Indicators of Compromise (IOCs) associated with CVE-2025-0282.
- Network Segmentation: Isolate ICS devices from critical systems to limit potential lateral movement by attackers.
- Upgrade Infrastructure: Consider replacing outdated ICS devices with modern alternatives offering stronger security postures.
The incident underscores the urgent need for vendors to modernize their products and adopt secure-by-design principles.
Cybersecurity experts emphasize that proactive patch management and strong incident response strategies are essential for protecting against more complex cyber threats as firms deal with the effects of this campaign.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar