FlagThis

A critical zero-day vulnerability, identified as CVE-2025-0282, is actively being exploited in the wild, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices. Ivanti has confirmed that a limited number of Connect Secure appliances have already been targeted by this exploit. This flaw, boasting a critical CVSS score of 9.0, is particularly concerning as it enables remote code execution without requiring any authentication. The company became aware of the activity through its Integrity Checker Tool (ICT) and has since released a patch for the Connect Secure product line.

Alongside CVE-2025-0282, Ivanti is also addressing CVE-2025-0283, a high-severity stack-based buffer overflow vulnerability with a CVSS score of 7.0. This vulnerability requires a local authenticated attacker and allows for privilege escalation. While no exploitation of CVE-2025-0283 has been observed, patches for all affected products are being developed with fixes for Policy Secure and Neurons for ZTA Gateways expected on January 21. Ivanti urges all customers to apply the provided fixes for Connect Secure (v22.7R2.5) immediately, and to perform factory resets if the integrity checker shows signs of compromise. The company will share indicators of compromise with impacted customers to aid forensic investigations.

ImgSrc: www.tenable.com

References :

• forums.ivanti.com: Security Advisory: Ivanti Connect Secure, Policy Secure, ZTA Gateways - CVE-2025-0282, CVE-2025-0283
• www.helpnetsecurity.com: Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282)
• ciso2ciso.com: CISO2CISO - CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
• The Hacker News: The Hacker News - Ivanti Flaw CVE-2025-0282 Actively Exploited
• ciso2ciso.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
• securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
• Kevin Beaumont: Ivanti Connect Secure, Policy Secure & ZTA Gateways customers, it's time to upgrade again as there's another two zero days already being exploited in the wild - CVE-2025-0282 and CVE-2025-0283 Unauth code execution.
• gbhackers.com: Ivanti 0-Day Vulnerability Exploited in Wild-Patch Now
• securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
• : CISA : So hot off the press that it's not live yet 🥵🔥🔥 ( 9.0 critical ) A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
• Pyrzout :vm:: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
• securityboulevard.com: Alert of Buffer Overflow Vulnerabilities in Multiple Ivanti Products (CVE-2025-0282)
• Pyrzout :vm:: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
• Techmeme: Ivanti warns that a zero-day in its widely-used Connect Secure VPN service has been exploited to compromise the networks of its corporate customers
• techcrunch.com: hackers-are-exploiting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks
• www.tenable.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
• ciso2ciso.com: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
• Latest from TechRadar: Ivanti warns another critical security flaw is being attacked
• www.bleepingcomputer.com: Banshee stealer evades detection using apple xprotect
• : watchTowr : Absolutely scathing review and rightful criticism of Ivanti as watchTowr successfully reproduces ( 9.0 critical ) Ivanti Connect Secure Buffer Overflow Vulnerability.
• securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
• www.scworld.com: Active exploitation of Ivanti Connect Secure zero-day ongoing
• ciso2ciso.com: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com
• Kevin Beaumont: WatchTowr have a good look at the latest Ivanti Pulse Secure zero day. Honestly? Don’t buy this product. It isn’t secure and they’re hiding problems.
• securityaffairs.com: U.S. CISA adds Ivanti Connect Secure, Policy Secure, and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog
• securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
• fortiguard.fortinet.com: Ivanti Connect Secure Zero-Day Vulnerability
• labs.watchtowr.com: Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) - watchTowr Labs
• Pyrzout :vm:: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com 's
• www.helpnetsecurity.com: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
• Pyrzout :vm:: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
• thecyberexpress.com: Ivanti Vulnerabilities Patches Roll Out - The Cyber Express
• thecyberexpress.com: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
• arcticwolf.com: CVE-2025-0282: Critical Zero-Day Remote Code Execution Vulnerability Impacts Several Ivanti Products
• Help Net Security: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
• gbhackers.com: Gbhackers article about PoC release for Ivanti RCE vulnerability.

Classification:

• HashTags: #Ivanti #ZeroDay #RCE
• Company: Ivanti
• Target: Ivanti Customers
• Product: Connect Secure
• Feature: Remote Code Execution
• Type: 0Day
• Severity: Disaster