19 min read

CVE-2025-0282, CVE-2025-0283: Active Exploitation of Ivanti Vulnerabilities

Published: 10 January 2025

Prepared by: Joel D'Souza, Technical Customer Success Manager

Purpose

The purpose of this bulletin is to provide context and address the recently disclosed CRITICAL-risk vulnerabilities present in several versions of Ivanti Connect Secure, Ivanti Neurons for ZTA Gateways, and Ivanti Policy Secure.  

As these vulnerabilities allow potential attackers to perform unauthenticated remote code execution, the Triskele Labs team advises that all organisations using affected versions of Ivanti should follow the remediation steps outlined in the subsequent sections to mitigate the threat associated with vulnerable versions of these devices.  

On January 9th, 2025, the Australian Cyber Security Centre (ACSC) had released a vulnerability disclosure focused on CVE-2025-0282 and CVE-2025-0283, with the recommendation that all organisations should patch the affected devices as a priority as the vendor was aware of active exploitation.  

The ACSC, the US Cybersecurity and Infrastructure Security Agency (CISA), and several other intelligence agencies had previously released a joint advisory in February 2024 addressing the threat of active exploitation of known Ivanti vulnerabilities. CISA has also added CVE-2025-0282 to its Known Exploited Vulnerabilities (KEV) list on January 8th, 2025, due to their evidence of active exploitation.  

The following vulnerabilities have been recently disclosed or updated by the vendor: 

  • CVE-2025-0282: Stack-based buffer overflow that allows a remote unauthenticated attacker to achieve remote code execution. 
  •  CVE-2025-0283: Stack-based buffer overflow that enables privilege escalation for a local authenticated user.  

Additional information around each of these vulnerabilities can be found in the resources listed in the References section. 

On January 9th, 2025, Mandiant had issued an advisory indicating that zero-day exploitation of CVE-2025-0282 was identified by their research teams across devices from multiple organisations. Mandiant have identified the deployment of several families of malware designated SPAWN, DRYHOOK, and PHASEJAM, following the exploitation of this vulnerability by threat actors. The threat actor behaviour, and post-exploitation steps identified by their research team has been documented in their threat intelligence blog post. 

As of January 10th 2025, Proof-of-Concept (PoC) code for these vulnerabilities has not been publicly released. 

 

Impact

The attack paths for each of these vulnerabilities could be used for credential harvesting, network traversal, and network reconnaissance. Due to the criticality of these vulnerabilities and their potential exploitation, devices using affected versions of Ivanti should be treated as an optimal target for a threat actor and patched as a priority for the business, to prevent exfiltration of data and leakage of Personally Identifiable Information (PII), credentials, and other sensitive data. 

Affected Versions  

The following extract of affected devices was provided by Ivanti on their vulnerability disclosure. For an updated list of affected versions and patch availability, please refer to the vendor advisory. 

CVE 

Product Name 

Affected Version(s) 

Resolved Version(s) 

Patch Availability 

CVE-2025-0282 

Ivanti Connect Secure 

22.7R2 through 22.7R2.4 

22.7R2.5 

Download Portal: https://portal.ivanti.com/ 

CVE-2025-0283 

Ivanti Connect Secure 

22.7R2.4 and prior, 9.1R18.9 and prior 

22.7R2.5 

Download Portal: https://portal.ivanti.com/ 

CVE-2025-0282 

Ivanti Policy Secure 

22.7R1 through 22.7R1.2 

 

Patch planned availability Jan. 21 

CVE-2025-0283 

Ivanti Policy Secure 

22.7R1.2 and prior 

 

Patch planned availability Jan. 21 

CVE-2025-0282 

Ivanti Neurons for ZTA gateways 

22.7R2 through 22.7R2.3 

22.7R2.5 

Patch planned availability Jan. 21 

CVE-2025-0283 

Ivanti Neurons for ZTA gateways 

22.7R2.3 and prior 

22.7R2.5 

Patch planned availability Jan. 21 

 

Please Note: Ivanti has advised that they have found no evidence of active exploitation of Ivanti Neurons ZTA gateways. They have determined that these gateways cannot be exploited when in production and connected to a ZTA controller. However, they have found that gateways that have been generated and have not been connected to the ZTA controller have an active risk of exploitation. 

 

Mitigation Actions

If you are utilising an Ivanti device impacted by this vulnerability, Triskele Labs recommends reviewing the logs for unusual activity and using the vendor recommended Integrity Checker Tool (“ICT”). However, commercially available tools like Qualys and Rapid7 have also provided detection capabilities for vulnerable network devices.  

The External Integrity Checker Tool (ICT) version ICT-V22725 is only compatible with versions of Ivanti Connect Secure 22.7R2.5 and above. 

Ivanti has released software updates for some affected versions of Ivanti Connect Secure and Policy Secure Gateway, with pending patches for the other affected versions, and pending patches for all affected versions of Ivanti Neurons for ZTA gateways.  

The following steps for assessing potential compromise or active exploitation of from these threats were provided by CISA. 

(1) Conduct threat hunting actions:   

  • Run the In-Build Integrity Checker Tool (ICT). Instructions can be found here.  
  • Conduct threat hunt actions on any systems connected to—or recently connected to—the affected Ivanti device.   

(2) If threat hunting actions determine no compromise:  

  • Monitor the authentication or identity management services that could be exposed.  
  • Continue to audit privilege level access accounts.  

(3) If threat hunting actions determine compromise:  

  • Report the issue to Triskele Labs via the SOC portal or our SOC helpline immediately to start forensic investigation and incident response activities.   
  • Disconnect instances of affected Ivanti Connect Secure products.   
  • Isolate the systems from any enterprise resources to the greatest degree possible.  
  • Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following:  
    • Reset the admin enable password.
    • Reset stored application programming interface (API) keys.
    • Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s). 
  • If domain accounts associated with the affected products have been compromised: 
    • Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments. 
    • For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens. 
  • After investigation, fully patch and restore system prior to returning any device to service. 

Triskele Labs recommends upgrading to the latest version of Ivanti Connect Secure and Ivanti Policy Secure if a compatible version is available, using the steps provided by CISA to ensure permanent mitigation. For organisations with Ivanti Neurons for ZTA Gateways, and Ivanti Connect Secure and Ivanti Policy Secure with unreleased patches, Triskele Labs recommends continuous monitoring of the event sources and periodically running the Ivanti ICT tool to test for active exploitation.  

Triskele Labs recommends applying updated to these devices as a priority upon release from the vendor. Additionally, Triskele Labs recommends auditing environments that incorporate Ivanti Neurons for ZTA Gateways for any generated gateways that have not been connected with a ZTA controller and decommissioning them to prevent exploitation.     

All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored for IOCs and Lateral Movement, with heightened vigilance around Ivanti-related alerts. Triskele Labs SOC customers with our Vulnerability Scanning service are being assessed currently. 

 

References