Ivanti has published details of two buffer overflow CVEs affecting its Connect Secure, Policy Secure, and ZTA Gateways devices, claiming cyber criminals are already taking advantage of them.
The first flaw, CVE-2025-0282, is described as a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the victim’s device.
The flaw is yet to receive an NVD assessment by Ivanti ascribed it a 9.0 severity rating on the CVSS.
The second vulnerability, CVE-2025-0283, is also a stack-based buffer overflow which could allow local authenticated attackers to escalate their privileges on the target device.
Deemed less severe than the RCE flaw, CVE-2025-0283 was given a 7.0 (high) rating on the CVSS.
Ivanti’s advisory noted it is aware of a limited number of customers’ Ivanti Connect Secure devices being exploited using CVE-2025-0282, whereas they have no evidence attackers have used it to exploit any Policy Secure devices or ZTA gateways at this time.
A blog post from Mandiant, who worked alongside Ivanti and Microsoft’s Threat Intelligence Center (MSTIC) analyzing the flaw, said threat actors were observed exploiting CVE-2025-0282 in the wild from mid-December 2024.
The post said that when investigating the threats, it observed the deployment of various parts of SPAWN malware family which has been attributed to UNC5337, described as a “China-nexus cluster of espionage activity”.
Mandiant added it suspects the group is part of the larger UNC221 cluster, known for exploiting vulnerabilities in Ivanti VPNs in late 2023 and throughout 2024.
Forget your vulnerability SLAs, act now or risk compromise – expert warns
Firms are advised to run the Ivanti external integrity checker tool (ICT) which provides a real-time snapshot of the current state of your appliance, and Ivanti says it can identify if the device is being exploited using CVE-2025-0282.
Ivanti has released patches for both flaws, but as noted in a Rapid7 blog on the vulnerabilities the CVEs are unpatched in Ivanti Policy Secure and ZTA gateways, and are expected to come by 21 January 2025.
Benjamin Harris, CEO at attack surface management specialist watchTowr, said enterprises should be on high alert, noting the resemblance between this incident and campaigns exploiting Ivanti products observed in early 2024.
“Our concern is significant as this has all the hallmarks of APT usage of a zero-day against a mission-critical appliance. It also resembles the behavior and drama circulating Ivanti products that we as an industry saw in January 2024, and we can only hope that Ivanti has learned from that experience with regard to actioning an effective response.”
RELATED WHITEPAPER
Harris pointed to the lack of a fix for Policy Secure or ZTA gateways, urging businesses to take any vulnerable devices offline for the moment to stay protected.
“Ivanti Connect Secure users have a patch available, but once again - patches for other affected appliances like Ivanti’s Policy Secure and Neurons for ZTA gateways are left waiting 3 weeks for a patch. Users of these products should not hesitate - these appliances should be pulled offline until patches are available,” he advised.
“watchTowr client or not - we urge everyone to please take this seriously. Throw your vulnerability SLAs into the proverbial wind in situations like this, they are no longer relevant and the difference between a rapid response, and a response in hours, could be the difference between your organization calling your cyber insurer or not.”
ITPro received the following statement from Ivanti.
"Ivanti identified the compromise based on indications from the Integrity Checker Tool (“ICT”), and worked rapidly to identify the vulnerabilities and release a fix to customers within weeks for Ivanti Connect Secure, which is the only product where limited exploitation was observed."
"Patches for Ivanti Policy Secure and Ivanti Neurons ZTA Gateways, which have a significantly reduced risk of exploitation due to deployment practices, are scheduled for release on January 21, 2025. Ivanti confirmed that no exploitation of these products has been observed to date and has provided guidance to customers which reduces exploitation risk to near-zero."
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
-
A new framework for third-party risk in the European Unionwhitepaper Report: DORA and cyber risk
