Nominet, the official registry for .uk domain names and one of the largest country code registries globally has disclosed a significant cybersecurity breach linked to a recently discovered zero-day vulnerability in Ivanti’s Virtual Private Network (VPN) software.
The incident, which came to light in early January 2025, marks the first publicly confirmed case of exploitation related to the critical Ivanti Connect Secure flaw, tracked as CVE-2025-0282.
In an email sent to customers on January 8, Nominet revealed that it had detected suspicious activity on its network the previous week, reads The Register report.
The company stated they “became aware of suspicious activity on our network late last week. The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely.”
CVE-2025-0282, a critical stack-based buffer overflow vulnerability with a CVSS score of 9.0, allows unauthenticated remote code execution on affected systems. This flaw impacts Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Exploitation of Vulnerability
Cybersecurity experts have linked the exploitation of this vulnerability to suspected Chinese state-sponsored hackers, with attacks observed since mid-December 2024.
Despite the breach, Nominet has reassured its customers that there is currently no evidence of data theft or leakage. The company also stated that it has not identified any backdoors or other forms of unauthorized access to its network.
Nominet manages over 11 million .uk domains and operates critical infrastructure, including the Protective Domain Name Service (PDNS) for the UK’s National Cyber Security Centre (NCSC).
In response to the incident, Nominet has implemented additional safeguards, including restricting access to its systems via VPN connections. The company has also notified relevant authorities, including the NCSC, and is continuing its investigation with the assistance of external cybersecurity experts.
The Ivanti zero-day exploitation has raised significant concerns in the cybersecurity community. Mandiant has identified the attackers as part of the UNC5337 group, which has ties to UNC5221, the threat actors behind similar attacks on Ivanti products in January 202.
The current campaign involves the deployment of both known and novel malware strains, including Spawn, Dryhook, and Phasejam.
Ivanti released patches for vulnerable Connect Secure versions on January 8, 2025, coinciding with the public disclosure of the zero-day. However, fixes for Policy Secure and Neurons for ZTA Gateways are not expected until January 21, potentially exposing some customers.
Cybersecurity firm Censys reported that 33,542 Ivanti Connect Secure instances are exposed globally, with significant concentrations in the United States and Japan.
As the situation continues to evolve, cybersecurity experts advise organizations using Ivanti products to implement available patches immediately, conduct thorough investigations for potential compromises, and remain vigilant against further exploitation attempts.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!