Advisory: Ivanti Connect Secure VPN zero-day under active exploitation (CVE-2025-0282)
A critical vulnerability has been observed under active exploitation from at least mid-December 2024. Successful exploitation enables remote unauthenticated execution of arbitrary code.
Written by:
Ivanti recently announced a critical-severity vulnerability (CVE-2025-0282) affecting the products Connect Secure, Policy Secure, and Neurons for ZTA. Exploitation of this vulnerability enables remote unauthenticated execution of arbitrary code on the targeted device.
Background
On January 8th 2025, Ivanti disclosed two vulnerabilities impacting Connect Secure (ICS), Policy Secure, and Neurons for ZTA - CVE-2025-0282 and CVE-2025-0283.
CVE-2025-0282 is an unauthenticated stack-based buffer overflow vulnerability that allows remote code execution without prior authentication. Exploitation of this vulnerability has been observed in the wild since mid-December 2024.
Ivanti has released patches to address these vulnerabilities and urges customers to apply them immediately to secure their systems. Organisations should also review system logs for indicators of compromise (IOCs) and consider additional security measures, such as network segmentation and enhanced monitoring, to detect and prevent unauthorised access. Additional recommendations are described in the Recommendations section.
Given the active exploitation of CVE-2025-0282 in particular, it is crucial for organisations using Ivanti Connect Secure VPN appliances to prioritise patching and review their security posture to mitigate potential risks associated with this vulnerability.
Threat Intelligence assessment
Analysis indicates that the threat actor behind the exploitation of CVE-2025-0282 demonstrates a sophisticated understanding of Ivanti Connect Secure appliances. The observed campaign aligns with a methodical approach, suggesting that initial tests were likely conducted in a controlled, external environment before targeting victim networks. This approach points to a deliberate, targeted attack strategy rather than indiscriminate exploitation.
Mandiant has attributed some of the exploitation activity to a subgroup of the UNC5221 threat cluster, assessed to have links to a China-based nexus. This subgroup is believed to have initiated zero-day exploitation of CVE-2025-0282 as early as mid-December 2024. While UNC5221 has been identified as a primary actor, the exposure of this vulnerability increases the likelihood of exploitation by other opportunistic threat actors. This trend underscores the urgency for defenders to anticipate broader exploitation in the near future.
Threat actors have been observed deploying multiple advanced malware families that collectively enable persistent access, facilitate data theft, and establish footholds for ongoing attacks. This includes:
- SPAWN: A modular ecosystem consisting of:
- SPAWNANT: An installer for malicious payloads
- SPAWNMOLE: A tunnelling tool designed to evade network defences
- SPAWNSNAIL: An SSH backdoor providing persistent remote access
- DRYHOOK: A sophisticated tool likely used for lateral movement and credential harvesting
- PHASEJAM: A malware family facilitating data exfiltration and further compromise
UNC5221 has been observed conducting widespread exploitation of Ivanti Connect Secure appliances across various industries and geographies. While initial targeting appears selective, the tactics, techniques and procedures (TTPs) employed are highly likely to be adopted by other actors as more technical details of the vulnerability and proof-of-concepts (PoC) exploits emerge. Organisations should anticipate:
- Opportunistic exploitation when details emerge, particularly involving credential harvesting
- Deployment of web shells to maintain access and enable future attacks
- The potential release and use of PoC exploits (CVE-2025-0282 in particular)
Affected systems
The following versions are vulnerable to CVE-2025-0282 (Critical):
- Ivanti Connect Secure 22.7R2 through 22.7R2.4
- Ivanti Policy Secure 22.7R1 through 22.7R1.2 (Patch planned 21st of January)
- Ivanti Neurons for ZTA Gateways 22.7R2 through 22.7R2.3 (Patch planned 21st of January)
The following versions are vulnerable to CVE-2025-0283 (High):
- Ivanti Connect Secure 22.7R2.4 and prior, 9.1R18.9 and prior
- Ivanti Policy Secure 22.7R1.2 and prior (Patch planned 21st of January)
- Ivanti Neurons for ZTA Gateways 22.7R2.3 and prior (Patch planned 21st of January)
Recommendations
mnemonic recommends the following activities:
- Run the Ivanti external Integrity Checker Tool (ICT)
- Note that the ICT does not scan for malware or other IOCs, and should be run in conjunction with other investigative initiatives
- Perform threat hunting and indicator sweeping on known indicators, such as those documented by Mandiant and on Virus Total
- If signs of compromise are found, perform a factory reset on the appliance to ensure that any malware is wiped and update to version 22.7R2.5 before putting the appliance back into production.
- Remember to collect memory before rebooting or wiping the Ivanti device if you want to perform memory forensics of the box
- Monitor appliance services that could be exposed, and in particular including the authentication and identity management services.
Note that before installing updates, Ivanti recommends performing a factory reset as a precautionary measure.
Detection coverage for Argus Managed Detection & Response (MDR) customers
mnemonic is actively implementing detection logic for the exploitation chain and IOCs, and as new vulnerability details are available. mnemonic is also actively performing retrospective hunting on known IOCs and campaign TTPs in our Customers telemetry.