Active Exploitation of Zero-Day Vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateways
CVE-2025-0282 could allow an unauthenticated attacker to achieve RCE and is under active exploitation. Patches also fix CVE-2025-0283 which could be exploited to allow a local attacker to escalate their privileges.
Summary
CVE-2025-0282 could allow an unauthenticated attacker to achieve RCE and is under active exploitation. Patches also fix CVE-2025-0283 which could be exploited to allow a local attacker to escalate their privileges.
Affected platforms
The following platforms are known to be affected:
Threat details
Zero-Day Exploitation of CVE-2025-0282
Ivanti has advised that CVE-2025-0282 is under zero-day exploitation against a limited number of Ivanti Connect Secure appliances.
SSLVPN appliances are often internet-facing by design and frequent targets for cyber threat groups. Vulnerabilities in SSLVPN appliances are often exploited soon after official disclosure and broader exploitation is expected.
Introduction
Ivanti has released a security advisory to address one critical vulnerability and one high-severity vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. These products provide virtual private network (VPN), network access control, and security monitoring functionality.
Vulnerability Details
- CVE-2025-0282 is a 'stack-based buffer overflow' vulnerability with a CVSSv3 score of 9.0. If exploited, a remote unauthenticated attacker could execute arbitrary code (ACE).
- CVE-2025-0283 is a 'stack-based buffer overflow' vulnerability with a CVSSv3 score of 7.0. If exploited, a local authenticated attacker could escalate their privileges.
Remediation advice
Affected organisations must review the Ivanti Security Advisory and must complete all required actions detailed below before marking this high severity Cyber Alert as complete.
Note: Patches for Ivanti Policy Secure and Ivanti Neurons for ZTA gateways are not expected to be released until 21 January 2025.
Remediation steps
Type | Step |
---|---|
Action |
Step 1 Affected organisations must run an internal and external scan using Ivanti's Integrity Checker Tool (ICT) to detect evidence of compromise.
If evidence of exploitation is detected, before completing any other steps organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US |
Action |
Step 2 If no evidence of compromise is detected, Ivanti strongly recommends affected organisations perform a factory reset on the appliance. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US |
Patch |
Step 3 Affected organisations are required to apply the latest available security patch for the appliance. Organisations should continue to closely monitor the appliance using the ICT and other security tools. Ivanti Connect Secure resolved versions
Ivanti Policy Secure resolved versions
Ivanti Neurons for ZTA Gateways resolved versions
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 9 January 2025 11:31 am