CyberSecurity news
FlagThis - #Ivanti
|
CISO2CISO Editor 2@ciso2ciso.com
//
A critical zero-day vulnerability, identified as CVE-2025-0282, is actively being exploited in the wild, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices. Ivanti has confirmed that a limited number of Connect Secure appliances have already been targeted by this exploit. This flaw, boasting a critical CVSS score of 9.0, is particularly concerning as it enables remote code execution without requiring any authentication. The company became aware of the activity through its Integrity Checker Tool (ICT) and has since released a patch for the Connect Secure product line.
Alongside CVE-2025-0282, Ivanti is also addressing CVE-2025-0283, a high-severity stack-based buffer overflow vulnerability with a CVSS score of 7.0. This vulnerability requires a local authenticated attacker and allows for privilege escalation. While no exploitation of CVE-2025-0283 has been observed, patches for all affected products are being developed with fixes for Policy Secure and Neurons for ZTA Gateways expected on January 21. Ivanti urges all customers to apply the provided fixes for Connect Secure (v22.7R2.5) immediately, and to perform factory resets if the integrity checker shows signs of compromise. The company will share indicators of compromise with impacted customers to aid forensic investigations. Recommended read:
References :
Mandvi@Cyber Security News
//
CISA has added three critical Ivanti Endpoint Manager (EPM) flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. The affected vulnerabilities are CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161. These flaws are absolute path traversal vulnerabilities that could allow remote, unauthenticated attackers to fully compromise vulnerable servers, potentially granting unauthorized access to sensitive information. Federal agencies have been given until March 31, 2025, to apply the necessary patches and mitigate these threats.
CISA urges all organizations, including those in the private sector, to prioritize timely remediation of these Ivanti EPM vulnerabilities. Security experts warn that delays in patching can lead to full domain compromise, credential theft, and lateral movement by malicious actors. Given the recent history of Ivanti vulnerabilities, proactive security measures and rapid patching are essential to defend against potential attacks. The large market share of Ivanti products makes them a prime target for malicious actors, emphasizing the importance of immediate patching and continuous hardening of systems. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News
//
Ivanti has released critical security updates for Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) to address multiple vulnerabilities. These include three critical severity problems that could allow remote code execution (RCE), posing a significant risk. The updates aim to patch flaws such as external control of a file name (CVE-2024-38657) and a stack-based buffer overflow (CVE-2025-22467), which can be exploited by authenticated attackers to execute arbitrary code and compromise system integrity.
The specific vulnerabilities addressed include CVE-2024-38657, which allows remote authenticated attackers with admin privileges to write arbitrary files, and CVE-2025-22467, a stack-based buffer overflow that enables remote code execution. Also patched is CVE-2024-10644 which is a code injection vulnerability, and CVE-2024-47908, an operating system command injection flaw in the admin web console of Ivanti CSA. Users are urged to update to the latest versions, Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3, and Ivanti CSA 5.0.5, as soon as possible to mitigate potential exploitation. While Ivanti is not aware of active exploitation, it's imperative to apply the patches due to the history of Ivanti appliances being weaponized. Recommended read:
References :
@gbhackers.com
//
A critical remote code execution vulnerability, identified as CVE-2025-0282, has been discovered in Ivanti Connect Secure, affecting versions prior to 22.7R2.5. This flaw is due to a stack-based buffer overflow, and allows unauthenticated, remote attackers to execute arbitrary code. A proof-of-concept exploit, named CVE-2025-0282.rb, has been released, demonstrating how attackers can bypass Address Space Layout Randomization (ASLR) by guessing the base address of a shared library, which could take around 30 minutes in testing. The vulnerability impacts the IF-T/TLS protocol handler on TCP port 443, allowing attackers to gain remote code execution with non-root "nr" user privileges.
Ivanti has acknowledged the vulnerability and assigned it a high CVSS score of 9.0, emphasizing the urgent need for patching. Security analysts have rated both the attacker value and exploitability of this flaw as very high, further highlighting the critical nature of this issue. The flaw was first discovered in the wild around mid-December 2024, with technical analysis by watchTowr on January 10th providing in-depth details of the exploitation mechanics. A related but separate vulnerability, CVE-2025-0283, concerning local privilege escalation was also addressed by Ivanti, however, there are currently no reports of it being exploited. Recommended read:
References :
@thecyberexpress.com
//
US cybersecurity agencies, CISA and the FBI, have issued warnings regarding the active exploitation of four critical vulnerabilities within Ivanti Cloud Service Appliances (CSA). These flaws, designated as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, are being leveraged by Chinese state-sponsored actors to breach vulnerable networks. The agencies released detailed technical information, including indicators of compromise (IOCs), highlighting that attackers are using two primary exploit chains to gain unauthorized access, execute arbitrary code, and implant webshells on victim systems.
Specifically, one exploit chain combines CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380, while the other uses CVE-2024-8963 along with CVE-2024-9379. These vulnerabilities affect Ivanti CSA versions 4.6x before 519, and versions 5.0.1 and below for CVE-2024-9379 and CVE-2024-9380. Notably, CSA version 4.6 is end-of-life and does not receive security patches, making it particularly susceptible. The agencies urge organizations to apply patches promptly and implement robust security measures to defend against these active threats, further highlighting the speed at which disclosed vulnerabilities are weaponized. Recommended read:
References :
@gbhackers.com
//
Proof-of-concept exploit code has been released for critical vulnerabilities affecting Ivanti Endpoint Manager (EPM). Disclosed in January, these vulnerabilities allow remote, unauthenticated attackers to potentially compromise systems through credential coercion. Security firm Horizon3.ai published the exploit code and technical details on February 19, 2025, escalating the risk for organizations utilizing the Ivanti EPM platform. The vulnerabilities stem from improper validation of user input, allowing attackers to manipulate file paths and force the EPM server to authenticate to malicious SMB shares.
These vulnerabilities, identified as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, affect the WSVulnerabilityCore.dll component of Ivanti EPM. An attacker can coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially leading to a full domain compromise. The exploit chain involves credential harvesting and relay attacks. Recommended read:
References :
@thecyberexpress.com
//
Multiple critical vulnerabilities have been discovered in Ivanti Endpoint Manager (EPM) software, posing a significant risk to users. Tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, these path traversal flaws allow unauthenticated attackers to extract sensitive information from affected systems. Ivanti has released patches to address these vulnerabilities, highlighting the critical need for proactive patching and system updates to mitigate potential exploits.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned that threat actors are actively exploiting vulnerabilities in Ivanti Cloud Service Appliances (CSA), some of which were patched as far back as September. Attackers have been observed using multiple exploit chains that leverage CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380 to achieve remote code execution, harvest credentials, and implant webshells on compromised networks. Notably, Ivanti CSA version 4.6 is now end-of-life and no longer receives patches, making it particularly susceptible to attacks. Recommended read:
References :
|