Ivanti has published details of two buffer overflow CVEs affecting its Connect Secure, Policy Secure, and ZTA Gateways devices, claiming cyber criminals are already taking advantage of them.
The first flaw, CVE-2025-0282, is described as a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the victim’s device.
The flaw is yet to receive an NVD assessment by Ivanti ascribed it a 9.0 severity rating on the CVSS.
The second vulnerability, CVE-2025-0283, is also a stack-based buffer overflow which could allow local authenticated attackers to escalate their privileges on the target device.
Deemed less severe than the RCE flaw, CVE-2025-0283 was given a 7.0 (high) rating on the CVSS.
Ivanti’s advisory noted it is aware of a limited number of customers’ Ivanti Connect Secure devices being exploited using CVE-2025-0282, whereas they have no evidence attackers have used it to exploit any Policy Secure devices or ZTA gateways at this time.
A blog post from Mandiant, who worked alongside Ivanti and Microsoft’s Threat Intelligence Center (MSTIC) analyzing the flaw, said threat actors were observed exploiting CVE-2025-0282 in the wild from mid-December 2024.
The post said that when investigating the threats, it observed the deployment of various parts of SPAWN malware family which has been attributed to UNC5337, described as a “China-nexus cluster of espionage activity”.
Mandiant added it suspects the group is part of the larger UNC221 cluster, known for exploiting vulnerabilities in Ivanti VPNs in late 2023 and throughout 2024.
Forget your vulnerability SLAs, act now or risk compromise – expert warns
Firms are advised to run the Ivanti external integrity checker tool (ICT) which provides a real-time snapshot of the current state of your appliance, and Ivanti says it can identify if the device is being exploited using CVE-2025-0282.
Ivanti has released patches for both flaws, but as noted in a Rapid7 blog on the vulnerabilities the CVEs are unpatched in Ivanti Policy Secure and ZTA gateways, and are expected to come by 21 January 2025.
Benjamin Harris, CEO at attack surface management specialist watchTowr, said enterprises should be on high alert, noting the resemblance between this incident and campaigns exploiting Ivanti products observed in early 2024.
“Our concern is significant as this has all the hallmarks of APT usage of a zero-day against a mission-critical appliance. It also resembles the behavior and drama circulating Ivanti products that we as an industry saw in January 2024, and we can only hope that Ivanti has learned from that experience with regard to actioning an effective response.”
Harris pointed to the lack of a fix for Policy Secure or ZTA gateways, urging businesses to take any vulnerable devices offline for the moment to stay protected.
“Ivanti Connect Secure users have a patch available, but once again - patches for other affected appliances like Ivanti’s Policy Secure and Neurons for ZTA gateways are left waiting 3 weeks for a patch. Users of these products should not hesitate - these appliances should be pulled offline until patches are available,” he advised.
“watchTowr client or not - we urge everyone to please take this seriously. Throw your vulnerability SLAs into the proverbial wind in situations like this, they are no longer relevant and the difference between a rapid response, and a response in hours, could be the difference between your organization calling your cyber insurer or not.”
ITPro received the following statement from Ivanti.
"Ivanti identified the compromise based on indications from the Integrity Checker Tool (“ICT”), and worked rapidly to identify the vulnerabilities and release a fix to customers within weeks for Ivanti Connect Secure, which is the only product where limited exploitation was observed."
"Patches for Ivanti Policy Secure and Ivanti Neurons ZTA Gateways, which have a significantly reduced risk of exploitation due to deployment practices, are scheduled for release on January 21, 2025. Ivanti confirmed that no exploitation of these products has been observed to date and has provided guidance to customers which reduces exploitation risk to near-zero."
