Zero-day exploits plague Ivanti Connect Secure appliances for second year running

The cybersecurity industry is urging those in charge of defending their orgs to take mitigation efforts "seriously" as Ivanti battles two dangerous new vulnerabilities, one of which was already being exploited as a zero-day.

It's just under a year since the last high-profile security snafu hit the vendor and now two new flaws are ready to be patched at the earliest opportunity:

• CVE-2025-0282 (9.0 severity – critical): The worst of the two is a stack-based buffer overflow bug leading to unauthenticated remote code execution. This is the one that was already exploited, affecting Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3.

• CVE-2025-0283 (7.0 severity – high): The lesser of the two evils is another stack-based buffer overflow leading to privilege escalation for locally authenticated attackers. The same products and versions are affected.

The two issues aren't believed to be chained in the attacks. Ivanti said that CVE-2025-0282 is the exploited zero-day, but they just happened to find CVE-2025-0283 during the threat-hunting phase and decided to include it in the advisory.

The vulnerabilities will come as especially unwelcome news given that Connect Secure and Policy Secure, closely followed by ZTA Gateways – the subjects of last year's infamous flaws – are again involved here.

The fallout from the earlier zero-days, the resulting exploits (believed to be in the thousands), and flawed mitigation strategy prompted the company to commit to a secure-by-design development overhaul, according to an open letter penned by former CEO Jeff Abbott.

Ivanti customers looking for guidance now are advised to run its Integrity Checker Tool (ICT), which offers a little more information about the state of their appliance but shouldn't be relied upon to detect exploit activity or indicators of compromise.

"The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state," Ivanti said in its advisory. "The ICT does not scan for malware or other Indicators of Compromise. Customers should run the ICT in conjunction with other monitoring tools. 

"Indicators of Compromise will be shared with customers that have confirmed impact to move them forward in their forensics investigation. If customers require additional information, they should open a ticket with support."

Updates for Connect Secure are out now, with the vendor urging all users to upgrade to version 22.7R2.5 or later as soon as possible, after performing a factory reset of the device.

However, Policy Secure and ZTA Gateways won't receive their upgrades until January 21. Ivanti said in its advisory that the former should never be exposed to the web anyway, and isn't known to be a target of the ongoing exploits.

• Three more vulns spotted in Ivanti CSA, all critical, one 10/10
• CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame
• Ivanti patches exploited admin command execution flaw
• CISA says crooks used Ivanti bugs to snoop around high-risk chemical facilities

The latter can't be exploited while in production, but if a gateway is generated and left unconnected to a ZTA controller, then a risk of exploitation exists, Ivanti said.

Zero-day attack profile

Mandiant was drafted in to help Ivanti with the investigations into the known exploits and the threat intel specialists detailed the attacks in its own blog, noting the incidents occurred as early as mid-December.

In at least one case currently under examination, the group behind the attacks deployed payloads from the Spawn ecosystem of malware, which has previously been linked with the activity cluster Mandiant tracks as UNC5337, which in turn has ties to UNC5221 – a known China-nexus group.

Other appliances have shown signs of novel malware families, which are now being tracked as Dryhook and Phasejam. Never seen before, these families aren't tied to a specific group or activity cluster.

"It is possible that multiple actors are responsible for the creation and deployment of these various code families (i.e. Spawn, Dryhook, and Phasejam), but as of publishing this report, we don't have enough data to accurately assess the number of threat actors targeting CVE-2025-0282," Mandiant said.

According to the folks over at watchTowr, who are still working through their own investigations of the issues, the activity has the hallmarks of an advanced persistent threat (APT) campaign.

Benjamin Harris, watchTowr's CEO, said: "Our concern is significant as this has all the hallmarks of APT usage of a zero-day against a mission-critical appliance. It also resembles the behavior and drama circulating Ivanti products that we as an industry saw in January 2024, and we can only hope that Ivanti has learned from that experience with regard to actioning an effective response.

"Ivanti Connect Secure users have a patch available, but once again - patches for other affected appliances like Ivanti's Policy Secure and Neurons for ZTA gateways are left waiting three weeks for a patch. Users of these products should not hesitate – these appliances should be pulled offline until patches are available.

"watchTowr client or not – we urge everyone to please take this seriously. Throw your vulnerability SLAs into the proverbial wind in situations like this, they are no longer relevant and the difference between a rapid response, and a response in hours, could be the difference between your organization calling your cyber insurer or not."

Mandiant added that "defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access."

Should public exploits be made available, other groups and individuals are likely to exploit the vulnerabilities as well, so applying the available patches and pulling Policy Secure and ZTA Gateway appliances offline should be carried out as soon as possible. ®