Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances.
The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers’ appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day.
CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a unauthenticated attacker to remotely execute code on devices.
While the flaw impacts all three products, Ivanti says they have only seen it exploited on Ivanti Connect Secure appliances.
“We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure,” reads an Ivanti blog post.
“We are not aware of these CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways.”
Ivanti has rushed out security patches for Ivanti Connect Secure, which are resolved in firmware version 22.7R2.5.
However, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will not be ready until January 21, according to a security bulletin published today.
Ivanti Policy Secure: This solution is not intended to be internet facing, which makes the risk of exploitation significantly lower. The fix for Ivanti Policy Secure is planned for release on January 21, 2025, and will be available in the standard download portal. Customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet. We are not aware of these CVEs being exploited in Ivanti Policy Secure.
Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. The fix is planned for release on January 21, 2025. We are not aware of these CVEs being exploited in ZTA Gateways.
The company recommends all Ivanti Connect Secure admins perform internal and external ICT scans.
If the scans come up clean, Ivanti still recommends admins perform a factory reset before upgrading to Ivanti Connect Secure 22.7R2.5.
However, if the scans show signs of a compromise, Ivanti says a factory reset should remove any installed malware. The appliance should then be put back into production using version 22.7R2.5
Today’s security updates also fix a second vulnerability tracked as CVE-2025-0283, which Ivanti says is not currently being exploited or chained with CVE-2025-0282. This flaw allows an authenticated local attacker to escalate their privileges.
As Ivanti is working with Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks, we will likely see reports about the detected malware shortly.
BleepingComputer contacted Ivanti with further questions about the attacks and will update this story if we receive a response.
In October, Ivanti released security updates to fix three Cloud Services Appliance (CSA) zero-days that were actively exploited in attacks.
