Zero-day vulnerability in Ivanti Connect Secure actively exploited

Ivanti is reporting that threat actors are actively exploiting a zero-day vulnerability in its Connect Secure remote access solution.

The vulnerability was discovered when Ivanti’s Integrity Checker Tool (ICT) detected malicious activity on customer appliances. A subsequent investigation revealed that threat actors were actively exploiting a previously undocumented vulnerability, for which there was no patch, classifying it as a zero-day.

The vulnerability, now designated CVE-2025-0282 and rated critical, is a stack-based buffer overflow bug that could allow a remote, unauthenticated threat actor to execute code on the device. It impacts:

• Ivanti Connect Secure before version 22.7R2.5
• Ivanti Policy Secure before version 22.7R1.2
• Ivanti Neurons for ZTA gateways before version 22.7R2.3

While the flaw also impacts Policy Secure and Neurons for ZTA gateways, exploitation of the flaw was only detected on a few Connect Secure appliances.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Ivanti is urging impacted customers to use both the internal and external ICT to scan for signs of compromise. Even if the scan doesn’t detect malicious activity, Ivanti is recommending that users perform a factory reset before upgrading to Ivanti Connect Secure 22.7R2.5.

Ivanti plans to release patches for Policy Secure and Neurons on January 31^st. The flaw on these appliances is less of a threat since they aren’t designed to be internet-facing and aren’t vulnerable if properly configured.

Source: Bleeping Computer

Analysis

Ivanti struggled with vulnerabilities in many of its products in 2024, some of them zero-days targeted by nation-state actors to deploy various custom malware strains. This led Ivanti to implement a rigorous code review regime which it credited for proactively discovering multiple vulnerabilities. The company also released an enhanced version of its external ICT to provide additional visibility and protection for customers against evolving threat actor techniques related to previously disclosed vulnerabilities.

Ivanti’s efforts to proactively discover and quickly mitigate threats to its products are appearing to pay off. With any luck, 2025 will be a much better year for the company in terms of zero-day vulnerability exploitation of its products.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Ivanti Connect Secure. Field Effect MDR users are automatically notified if a vulnerable or end-of-life version of Connect Secure is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly recommends users of affected Connect Secure appliances to run Ivanti’s ICT to scan for signs of compromise and conduct a factory reset before updating to the latest version as soon as possible, in accordance with Ivanti’s advisory.

Related Articles

• Critical vulnerability in Ivanti vTM now exploited
• Another critical vulnerability in Ivanti CSA exploited
• Ivanti patches critical EPM vulnerability, increases code review