Patch Warning: Critical Ivanti Connect Secure Zero-day Exploited
Ivanti has released patches for two Connect Secure vulnerabilities including a critical zero-day remote code execution vulnerability that is being actively exploited in the wild to install malware. The first instances of exploitation are believed to have occurred in mid-December. The vulnerability was identified by Ivanti after the Ivanti Integrity Checker Tool (ICT) revealed the presence of malware on users’ appliances. The malware was installed after a threat actor exploited a previously unknown remote code execution flaw, which is being tracked as CVE-2025-0282 and has a CVSS severity score of 9.0.
The critical stack buffer overflow flaw affects all Ivanti Connect Secure (Pulse Secure) VPN appliances running versions 22.7R2 through 22.7R2.5, Ivanti Policy Secure versions 22.7R1 through 22.7R1.2, and Ivanti Neurons for ZTA Gateways versions 22.7R2 through 22.7R2.3, although to date, the flaw only appears to have been exploited to compromise Ivanti Connect Secure appliances.
A second stack buffer overflow flaw has also been patched, although it is not currently being exploited. The high severity flaw is tracked as CVE-2025-0283 and has a CVSS severity score of 7.0. The vulnerability affects Ivanti Connect Secure 22.7R2.4 and prior versions and 9.1R18.9 and prior versions, Ivanti Policy Secure 22.7R1.2 and prior versions, and Ivanti Neurons for ZTA Gateways 22.7R2.3 and prior versions.
Ivanti has released a patch to fix both flaws on its Connect Secure appliances and customers are advised to update their appliances to firmware version 22.7R2.5 as soon as possible to prevent exploitation. Internal and external ICT scans should be conducted prior to upgrading to the latest version. If signs of compromise are detected, a factory reset should be performed before upgrading to the patched version, which should remove any malware; however, even if the scans are clean, a factory reset should be performed prior to upgrading as a precaution.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Patches are planned for release on January 21, 2025, to fix the vulnerabilities on Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways (v 22.7R2.5). Since Ivanti Policy Secure should not be Internet facing, the risk of exploitation of the vulnerability is much lower, and the vulnerability cannot be exploited on Ivanti Neurons for ZTA Gateways when in production; however, Ivanti has warned that if a gateway for the solution is generated and left unconnected to a ZTA controller, the flaw could be exploited on the generated gateway.
Mandiant has been working with Ivanti on response and recovery and said some of the malware installed on appliances has previously been used by a China-nexus threat group it tracks as UNC5337, but says multiple threat actors may be using the malware. Mandiant reports that after exploiting the flaw and installing malware, the threat actor moves laterally within victims’ environments and performs log entry removal, network tunneling, and credential harvesting. In some cases, the threat actor has tricked administrators into thinking they have successfully upgraded their system by displaying a fake upgrade progress bar after using malware to block legitimate system upgrades.
