CyberSecurity news

FlagThis - #ivanti

CISO2CISO Editor 2@ciso2ciso.com - 50d

Ivanti Zero-Day Actively Exploited For RCE - A zero-day vulnerability, CVE-2025-0282, is being exploited in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways, allowing remote code execution.
A critical zero-day vulnerability, identified as CVE-2025-0282, is actively being exploited in the wild, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices. Ivanti has confirmed that a limited number of Connect Secure appliances have already been targeted by this exploit. This flaw, boasting a critical CVSS score of 9.0, is particularly concerning as it enables remote code execution without requiring any authentication. The company became aware of the activity through its Integrity Checker Tool (ICT) and has since released a patch for the Connect Secure product line.

Alongside CVE-2025-0282, Ivanti is also addressing CVE-2025-0283, a high-severity stack-based buffer overflow vulnerability with a CVSS score of 7.0. This vulnerability requires a local authenticated attacker and allows for privilege escalation. While no exploitation of CVE-2025-0283 has been observed, patches for all affected products are being developed with fixes for Policy Secure and Neurons for ZTA Gateways expected on January 21. Ivanti urges all customers to apply the provided fixes for Connect Secure (v22.7R2.5) immediately, and to perform factory resets if the integrity checker shows signs of compromise. The company will share indicators of compromise with impacted customers to aid forensic investigations.

Recommended read:
References :
  • forums.ivanti.com: Security Advisory: Ivanti Connect Secure, Policy Secure, ZTA Gateways - CVE-2025-0282, CVE-2025-0283
  • www.helpnetsecurity.com: Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282)
  • ciso2ciso.com: CISO2CISO - CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • The Hacker News: The Hacker News - Ivanti Flaw CVE-2025-0282 Actively Exploited
  • ciso2ciso.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
  • Kevin Beaumont: Ivanti Connect Secure, Policy Secure & ZTA Gateways customers, it's time to upgrade again as there's another two zero days already being exploited in the wild - CVE-2025-0282 and CVE-2025-0283 Unauth code execution.
  • gbhackers.com: Ivanti 0-Day Vulnerability Exploited in Wild-Patch Now
  • securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
  • : CISA : So hot off the press that it's not live yet 🥵🔥🔥 ( 9.0 critical ) A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
  • Pyrzout :vm:: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • securityboulevard.com: Alert of Buffer Overflow Vulnerabilities in Multiple Ivanti Products (CVE-2025-0282)
  • Pyrzout :vm:: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
  • Techmeme: Ivanti warns that a zero-day in its widely-used Connect Secure VPN service has been exploited to compromise the networks of its corporate customers
  • techcrunch.com: hackers-are-exploiting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks
  • www.tenable.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • ciso2ciso.com: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
  • Latest from TechRadar: Ivanti warns another critical security flaw is being attacked
  • www.bleepingcomputer.com: Banshee stealer evades detection using apple xprotect
  • : watchTowr : Absolutely scathing review and rightful criticism of Ivanti as watchTowr successfully reproduces ( 9.0 critical ) Ivanti Connect Secure Buffer Overflow Vulnerability.
  • securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
  • www.scworld.com: Active exploitation of Ivanti Connect Secure zero-day ongoing
  • ciso2ciso.com: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com
  • Kevin Beaumont: WatchTowr have a good look at the latest Ivanti Pulse Secure zero day. Honestly? Don’t buy this product. It isn’t secure and they’re hiding problems.
  • securityaffairs.com: U.S. CISA adds Ivanti Connect Secure, Policy Secure, and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog
  • securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
  • fortiguard.fortinet.com: Ivanti Connect Secure Zero-Day Vulnerability
  • labs.watchtowr.com: Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) - watchTowr Labs
  • Pyrzout :vm:: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com 's
  • www.helpnetsecurity.com: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
  • Pyrzout :vm:: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
  • thecyberexpress.com: Ivanti Vulnerabilities Patches Roll Out - The Cyber Express
  • thecyberexpress.com: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
  • arcticwolf.com: CVE-2025-0282: Critical Zero-Day Remote Code Execution Vulnerability Impacts Several Ivanti Products
  • Help Net Security: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
  • gbhackers.com: Gbhackers article about PoC release for Ivanti RCE vulnerability.
info@thehackernews.com (The Hacker News)@The Hacker News - 15d

Ivanti Patches Critical RCE Flaws in Connect Secure - Ivanti has released security updates for Connect Secure, Policy Secure, and Secure Access Client to address multiple vulnerabilities, including critical remote code execution flaws.
Ivanti has released critical security updates for Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) to address multiple vulnerabilities. These include three critical severity problems that could allow remote code execution (RCE), posing a significant risk. The updates aim to patch flaws such as external control of a file name (CVE-2024-38657) and a stack-based buffer overflow (CVE-2025-22467), which can be exploited by authenticated attackers to execute arbitrary code and compromise system integrity.

The specific vulnerabilities addressed include CVE-2024-38657, which allows remote authenticated attackers with admin privileges to write arbitrary files, and CVE-2025-22467, a stack-based buffer overflow that enables remote code execution. Also patched is CVE-2024-10644 which is a code injection vulnerability, and CVE-2024-47908, an operating system command injection flaw in the admin web console of Ivanti CSA. Users are urged to update to the latest versions, Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3, and Ivanti CSA 5.0.5, as soon as possible to mitigate potential exploitation. While Ivanti is not aware of active exploitation, it's imperative to apply the patches due to the history of Ivanti appliances being weaponized.

Recommended read:
References :
  • Vulnerability-Lookup: Security advisory for Ivanti Connect Secure, Policy Secure, and Secure Access Client (multiple CVEs).
  • securityonline.info: Ivanti has disclosed multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products, with some The post appeared first on .
  • The Hacker News: Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now
  • BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • securityonline.info: CVE-2025-22467 (CVSS 9.9): Ivanti Connect Secure Vulnerability Allows Remote Code Execution
  • www.bleepingcomputer.com: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • vulnerability.circl.lu: February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs), has been published on Vulnerability-Lookup
  • research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
  • bsky.app: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • socradar.io: Ivanti Security Update Addresses Severe Vulnerabilities in ICS, IPS, and ISAC (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644)
  • research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
  • BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems
@gbhackers.com - 38d

Ivanti Connect Secure RCE Vulnerability - A critical remote code execution vulnerability (CVE-2025-0282) has been identified in Ivanti Connect Secure, allowing arbitrary code execution by unauthenticated attackers.
A critical remote code execution vulnerability, identified as CVE-2025-0282, has been discovered in Ivanti Connect Secure, affecting versions prior to 22.7R2.5. This flaw is due to a stack-based buffer overflow, and allows unauthenticated, remote attackers to execute arbitrary code. A proof-of-concept exploit, named CVE-2025-0282.rb, has been released, demonstrating how attackers can bypass Address Space Layout Randomization (ASLR) by guessing the base address of a shared library, which could take around 30 minutes in testing. The vulnerability impacts the IF-T/TLS protocol handler on TCP port 443, allowing attackers to gain remote code execution with non-root "nr" user privileges.

Ivanti has acknowledged the vulnerability and assigned it a high CVSS score of 9.0, emphasizing the urgent need for patching. Security analysts have rated both the attacker value and exploitability of this flaw as very high, further highlighting the critical nature of this issue. The flaw was first discovered in the wild around mid-December 2024, with technical analysis by watchTowr on January 10th providing in-depth details of the exploitation mechanics. A related but separate vulnerability, CVE-2025-0283, concerning local privilege escalation was also addressed by Ivanti, however, there are currently no reports of it being exploited.

Recommended read:
References :
  • gbhackers.com: PoC Exploit Released for Ivanti Connect Secure RCE Vulnerability
  • gbhackers.com: PoC Exploit Released for Ivanti Connect Secure RCE Vulnerability
  • github.com: CVE-2025-0282: Ivanti Connect Secure IFT TLS Stack Overflow pre-auth RCE (CVE-2025-0282)
  • securityaffairs.com: A critical remote code execution vulnerability (CVE-2025-0282) has been found in Ivanti Connect Secure, affecting versions prior to 22.7R2.5.
@thecyberexpress.com - 35d

Ivanti CSA Vulnerabilities Exploited - Multiple critical vulnerabilities in Ivanti CSA are being actively exploited by Chinese state-sponsored actors, allowing attackers to gain unauthorized access and execute arbitrary code.
US cybersecurity agencies, CISA and the FBI, have issued warnings regarding the active exploitation of four critical vulnerabilities within Ivanti Cloud Service Appliances (CSA). These flaws, designated as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, are being leveraged by Chinese state-sponsored actors to breach vulnerable networks. The agencies released detailed technical information, including indicators of compromise (IOCs), highlighting that attackers are using two primary exploit chains to gain unauthorized access, execute arbitrary code, and implant webshells on victim systems.

Specifically, one exploit chain combines CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380, while the other uses CVE-2024-8963 along with CVE-2024-9379. These vulnerabilities affect Ivanti CSA versions 4.6x before 519, and versions 5.0.1 and below for CVE-2024-9379 and CVE-2024-9380. Notably, CSA version 4.6 is end-of-life and does not receive security patches, making it particularly susceptible. The agencies urge organizations to apply patches promptly and implement robust security measures to defend against these active threats, further highlighting the speed at which disclosed vulnerabilities are weaponized.

Recommended read:
References :
  • ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know
  • Pyrzout :vm:: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
  • www.bleepingcomputer.com: CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.
  • thecyberexpress.com: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
  • www.helpnetsecurity.com: Report on Cisco's fixes for ClamAV vulnerability and a critical Meeting Management flaw.
  • www.scworld.com: Ivanti CSA exploit chains examined in joint CISA, FBI advisory
  • CySec Feeds: CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
  • ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know – Source: www.securityweek.com
  • Pyrzout :vm:: Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks  – Source:cyble.com #'Cyber
  • securityonline.info: CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
  • securityonline.info: CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
  • ciso2ciso.com: Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks
@gbhackers.com - 5d

Ivanti EPM Vulnerabilities Exploited - PoC exploit code is now available for critical information disclosure vulnerabilities in Ivanti EPM, allowing remote attackers to leak sensitive information.
References: arcticwolf.com , bsky.app , gbhackers.com ...
Proof-of-concept exploit code has been released for critical vulnerabilities affecting Ivanti Endpoint Manager (EPM). Disclosed in January, these vulnerabilities allow remote, unauthenticated attackers to potentially compromise systems through credential coercion. Security firm Horizon3.ai published the exploit code and technical details on February 19, 2025, escalating the risk for organizations utilizing the Ivanti EPM platform. The vulnerabilities stem from improper validation of user input, allowing attackers to manipulate file paths and force the EPM server to authenticate to malicious SMB shares.

These vulnerabilities, identified as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, affect the WSVulnerabilityCore.dll component of Ivanti EPM. An attacker can coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially leading to a full domain compromise. The exploit chain involves credential harvesting and relay attacks.

Recommended read:
References :
  • arcticwolf.com: On 19 February 2025, Horizon3.ai published proof-of-concept (PoC) exploit code and technical details for critical Ivanti Endpoint Manager (EPM) vulnerabilities disclosed in January.
  • bsky.app: Horizon3 has published a write-up and POCs for four credential coercion vulnerabilities the company found and Ivanti patched in January. Bugs can be used by "an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks"
  • gbhackers.com: PoC Exploit Released for Ivanti EPM Vulnerabilities
  • gbhackers.com: GB Hackers Post on POC exploit for Ivanti vulnerabilities.
@thecyberexpress.com - 35d

Critical Flaws in Ivanti Endpoint Manager - Multiple critical path traversal vulnerabilities, tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, have been identified in Ivanti Endpoint Manager (EPM) software, allowing unauthenticated attackers to extract sensitive information.
Multiple critical vulnerabilities have been discovered in Ivanti Endpoint Manager (EPM) software, posing a significant risk to users. Tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, these path traversal flaws allow unauthenticated attackers to extract sensitive information from affected systems. Ivanti has released patches to address these vulnerabilities, highlighting the critical need for proactive patching and system updates to mitigate potential exploits.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned that threat actors are actively exploiting vulnerabilities in Ivanti Cloud Service Appliances (CSA), some of which were patched as far back as September. Attackers have been observed using multiple exploit chains that leverage CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380 to achieve remote code execution, harvest credentials, and implant webshells on compromised networks. Notably, Ivanti CSA version 4.6 is now end-of-life and no longer receives patches, making it particularly susceptible to attacks.

Recommended read:
References :
  • ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know
  • BleepingComputer: CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September
  • Pyrzout :vm:: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
  • ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know
  • thecyberexpress.com: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation

Blogs

Research Tools