THE THREAT
On January 8th, Ivanti disclosed a zero-day critical vulnerability affecting Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282 (CVSS: 9.0) is a stack-based buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code. As per the advisory, CVE-2025-0282 has been exploited in the wild, affecting a limited number of Connect Secure devices. Ivanti Policy Secure and Neurons for ZTA are not known to have been exploited in the wild at time of disclosure.
Ivanti has released patches for Connect Secure (version 22.7R2.5). Patches for Policy Secure and Neurons for ZTA are expected by January 21, 2025. Due to the rapid adoption of past Ivanti vulnerabilities by threat actors, widespread exploitation of CVE-2025-0282 should be expected in the near future.
What we’re doing about it
-
eSentire MDR for Log has detections in place to identify this threat
-
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices
-
eSentire’s Tactical Threat Response (TTR) team is crafting new detections to identify exploitation attempts
-
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
-
Ivanti has released an Integrity Checker Tool (ICT) that should be employed to identify potential compromises
-
Ivanti recommends performing a “Factory reset on appliances with a clean ICT scan” before applying the update
-
After performing a business impact review, apply the relevant security patches immediately
-
Until security patches are made available for Policy Secure and Neurons for ZTA gateways, access should be restricted
-
It is advised to follow the mitigation strategies provided by CISA
Additional information
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog. In a separate report published by Google, the organization identified the zero-day exploitation of CVE-2025-0282 occurring in the wild since mid-December 2024. Mandiant, in collaboration with Ivanti, attributed some of the activity to a China-nexus threat group known as UNC5337. Mandiant suspects that UNC5337 is part of a larger group, UNC5221, which had previously exploited Ivanti Connect Secure zero-days. The malware used in this campaign includes Dryhook and Phasejam. Phasejam acts as a dropper that deploys web shells for remote command execution. The attackers also installed ‘Spawn’ tools like Spawnmole (tunneler), Spawnsnail (SSH backdoor), and Spawnsloth (log tampering utility), which, unlike the Phasejam web shell, can persist across system upgrades. The DryHook malware has been used by the attackers in the post-exploitation phase of the attack to steal credentials.
In addition to CVE-2025-0282, Ivanti disclosed a second vulnerability tracked as CVE-2025-0283 (CVSS: 7.0). It is a stack-based buffer overflow that allows local authenticated attackers to escalate privileges on the device. There is currently no indication of real-world attacks involving CVE-2025-0283.
CVE-2025-0282 – Impacted Product List:
-
Ivanti Connect Secure: 22.7R2 through 22.7R2.4
-
Ivanti Policy Secure: 22.7R1 through 22.7R1.2
-
Ivanti Neurons for ZTA gateways: 22.7R2 through 22.7R2.3
CVE-2025-0283 – Impacted Product List:
-
Ivanti Connect Secure: 22.7R2.4 and prior, 9.1R18.9 and prior
-
Ivanti Policy Secure: 22.7R1.2 and prior
-
Ivanti Neurons for ZTA gateways: 22.7R2.3 and prior
Ivanti states that the Neurons for ZTA Gateways cannot be exploited when in production. However, if a gateway for this solution is generated and left unconnected to a ZTA controller, there is a risk of exploitation on the generated gateway. The fix is planned for release on January 21, 2025.
References:
[1] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283
[2] https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways
[3] https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/
[4] https://www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalog
[5] https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282
