The UK’s National Cyber Security Centre (NCSC) and its US counterpart have issued an urgent advisory to Ivanti customers after discovering two critical vulnerabilities, one of which is actively exploited. Read on to see how the Ivanti Zero-Day Vulnerability was exploited.
Details of how the Ivanti Zero-Day Vulnerability was exploited
Ivanti released a security advisory detailing two stack-based buffer overflow flaws in its Ivanti Connect Secure, Policy Secure, and ZTA gateways products:
CVE-2025-0282: A critical zero-day vulnerability with a CVSS score 9.0, allowing unauthenticated remote code execution (RCE). This vulnerability affects:
-
- Ivanti Connect Secure (pre-22.7R2.5)
- Ivanti Policy Secure (pre-22.7R1.2)
- Ivanti Neurons for ZTA gateways (pre-22.7R2.3)
CVE-2025-0283: A privilege escalation vulnerability enabling local authenticated attackers to gain elevated access. It impacts the identical product versions as CVE-2025-0282.
Microsoft and Google Mandiant researchers discovered the issues, with Mandiant reporting active exploitation of CVE-2025-0282 since mid-December 2024. However, no exploitation of CVE-2025-0283 has been observed to date.
Exploitation Details
According to Ivanti, CVE-2025-0282 has exploited a limited number of Ivanti Connect Secure appliances. There are no reports of in-the-wild exploitation affecting Ivanti Policy Secure or ZTA gateways.
Mitigation and Next Steps
Ivanti Connect Secure has patches for these vulnerabilities. Updates for Policy Secure and ZTA gateways are expected by 21 January 2025. No active exploitation of these products has been reported.
Recommended Actions
Ivanti, the NCSC, and the US Cybersecurity and Infrastructure Security Agency (CISA) recommend the following measures:
- Run Ivanti’s Integrity Checker Tool (ICT): Identify potential exploitation of CVE-2025-0282.
- Report Compromises: Immediately notify the NCSC (for UK-based organisations) or CISA if exploitation is detected.
- Update Systems: Perform a factory reset and apply the latest patch for Ivanti Connect Secure.
- Secure Configurations: Ensure Ivanti Policy Secure appliances are correctly configured and not exposed to the internet.
- Monitor ZTA Gateways: Although ZTA gateways in production are secure, gateways left unconnected to a ZTA controller may be vulnerable.
- Continuous Monitoring: Implement robust threat-hunting and monitoring practices.
A Year of Ongoing Challenges
This incident comes almost a year after a high-severity authentication bypass vulnerability was discovered in the same Ivanti products. It underscores the importance of proactive security measures and swift patch management to mitigate risks.
At Neuways, our Threatsafe team provides proactive monitoring, vulnerability management, and tailored advice to help organisations protect their critical infrastructure. Contact us today to ensure your systems remain secure against emerging threats.
