Ivanti users face a fresh zero-day vulnerability, raising suspicions of state-backed involvement
CVE-2025-0282, a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure products, has been actively exploited in the wild since mid-December 2024. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected devices, posing a significant risk for organizations with internet-facing Ivanti Connect Secure appliances.
The exploitation of CVE-2025-0282 continues a pattern of critical zero-day vulnerabilities affecting Ivanti’s edge infrastructure, following the rapid exploitation of CVE-2023-46805 and CVE-2024-21887 in January 2024. These earlier vulnerabilities, when chained, also enabled unauthenticated remote code execution and significantly impacted Ivanti’s reputation for security.
Mandiant Consulting CTO Charles Carmakal has stated that the threat actor behind CVE-2025-0282 has implemented a novel technique to trick administrators into thinking they’ve successfully upgraded a system. In reality, the malware prevents the actual upgrade from taking place, creating a convincing facade of a successful update.
Organisations using Ivanti Connect Secure appliances should treat patching as urgent, and follow best practices for securing remote access, such as enabling phishing-resistant multi-factor authentication (MFA), securing remote access, and maintaining reliable backups.
As of the most recent advisories, exploitation of Ivanti Policy Secure or Neurons for ZTA Gateways for this CVE has not been reported, as these products are less exposed to typical attack vectors. However, malware samples—including the SPAWN ecosystem, DRYHOOK, and PHASEJAM—have been found on compromised systems, indicating attackers are actively targeting vulnerable appliances.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to its known exploited vulnerabilities catalog and has issued an alert urging organisations to hunt for malicious activity on Ivanti instances and report findings to the federal agency. Mandiant has attributed some of the malware used in post-exploitation of CVE-2025-0282 to a China-nexus threat group, UNC5333.
Ivanti is not aware of CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways. However, Ivanti customers have been hit by multiple actively exploited CVEs in various products last year, including Ivanti Cloud Service Appliance and Ivanti Endpoint Manager.
Organisations should monitor for official patches and advisories, as the threat landscape for Ivanti products remains dynamic and high-risk. Ivanti is aware of a limited number of customers' Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure, and the company has released a patch for the vulnerability. Federal agency CISA said a pair of its systems were impacted by the attacks, but no data was stolen.
- The exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability in Ivanti Connect Secure products, demonstrates the need for enhanced threat intelligence in cybersecurity, as the threat continues to pose a significant risk for organizations with internet-facing Ivanti appliances.
- Technology advancements have given rise to sophisticated malware, as seen in the case of CVE-2025-0282, where a China-nexus threat group, UNC5333, uses a novel technique to trick administrators into thinking a system has been successfully upgraded, while in reality, the malware prevents the actual upgrade from happening.
- Amidst the active exploitation of CVE-2025-0282, emphasizing network security and best practices for securing remote access, such as enabling phishing-resistant multi-factor authentication (MFA), securing remote access, and maintaining reliable backups, is crucial for organizations using Ivanti Connect Secure appliances.
