Skip to main content

Active Exploitation of Zero-Day Vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateways

CVE-2025-0282 could allow an unauthenticated attacker to achieve RCE and is under active exploitation. Patches also fix CVE-2025-0283 which could be exploited to allow a local attacker to escalate their privileges.

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2025-0282 could allow an unauthenticated attacker to achieve RCE and is under active exploitation. Patches also fix CVE-2025-0283 which could be exploited to allow a local attacker to escalate their privileges.


Threat details

Zero-Day Exploitation of CVE-2025-0282

Ivanti has advised that CVE-2025-0282 is under zero-day exploitation against a limited number of Ivanti Connect Secure appliances.

SSLVPN appliances are often internet-facing by design and frequent targets for cyber threat groups. Vulnerabilities in SSLVPN appliances are often exploited soon after official disclosure and broader exploitation is expected.


Introduction

Ivanti has released a security advisory to address one critical vulnerability and one high-severity vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. These products provide virtual private network (VPN), network access control, and security monitoring functionality.


Vulnerability Details

  • CVE-2025-0282 is a 'stack-based buffer overflow' vulnerability with a CVSSv3 score of 9.0. If exploited, a remote unauthenticated attacker could execute arbitrary code (ACE).
  • CVE-2025-0283 is a 'stack-based buffer overflow' vulnerability with a CVSSv3 score of 7.0. If exploited, a local authenticated attacker could escalate their privileges.

Remediation advice

Affected organisations must review the Ivanti Security Advisory and must complete all required actions detailed below before marking this high severity Cyber Alert as complete.

Note: Patches for Ivanti Policy Secure and Ivanti Neurons for ZTA gateways are not expected to be released until 21 January 2025.


Remediation steps

Type Step
Action

Step 1

Affected organisations must run an internal and external scan using Ivanti's Integrity Checker Tool (ICT) to detect evidence of compromise.

  • Note: Running the ICT will require a restart of gateway appliances.

If evidence of exploitation is detected, before completing any other steps organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected] 


https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US
Action

Step 2

If no evidence of compromise is detected, Ivanti strongly recommends affected organisations perform a factory reset on the appliance.


https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US
Patch

Step 3

Affected organisations are required to apply the latest available security patch for the appliance. Organisations should continue to closely monitor the appliance using the ICT and other security tools.

Ivanti Connect Secure resolved versions

  • 22.7R2.5
  • Patches are available now

Ivanti Policy Secure resolved versions

  • Not resolved
  • Patches are expected to be available on 21 January 2025

Ivanti Neurons for ZTA Gateways resolved versions

  • 22.7R2.5
  • Patches are expected to be available on 21 January 2025

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US


Last edited: 9 January 2025 11:31 am