Ivanti, a prominent provider of IT software, has issued a warning about the active exploitation of a critical vulnerability, CVE-2025-0282, in its widely used Connect Secure, Policy Secure, and ZTA Gateways products.
This vulnerability, which allows unauthenticated remote code execution, has already been exploited by hackers, putting organizations at risk of data breaches and operational disruptions. Alongside CVE-2025-0282, Ivanti also disclosed another related vulnerability, CVE-2025-0283, which poses a threat of privilege escalation but has not yet been exploited.
The flaws have significant implications for Ivanti customers across both government and private sectors, as their VPN solutions serve as crucial access points for corporate and agency networks.
Exploits have been observed as far back as December 2024, with a China-linked threat actor suspected of leveraging these vulnerabilities to deploy advanced malware frameworks, including SPAWN and PHASEJAM.
The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog, urging federal agencies and organizations to patch affected systems immediately. Ivanti has emphasized that patches are available for some products, while updates for others will be released by January 21, 2025.
Why It Matters: The Ivanti vulnerabilities highlight the growing risks posed by attacks on critical VPN systems, which serve as gateways to some of the most sensitive networks in government and private organizations. These exploits not only enable unauthorized access and malware deployment but also demonstrate advanced methods like log manipulation and persistent system compromise. With Ivanti’s products deeply embedded in critical infrastructure, the potential for disruption and data breaches requires immediate attention from customers.
- Vulnerabilities and Exploitation: CVE-2025-0282 enables unauthenticated remote code execution, while CVE-2025-0283 allows for privilege escalation. Exploitation of CVE-2025-0282 has been observed in active attacks as early as December 2024, with evidence pointing to a China-linked threat actor.
- Impact on Products and Customers: Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways are affected, with Connect Secure already being exploited by hackers. While patches for some systems are available, updates for Policy Secure and ZTA Gateways are expected by January 21, 2025.
- Advanced Attack Techniques: Hackers deployed SPAWN, PHASEJAM, and DRYHOOK malware, employing methods to disable SELinux, manipulate system logs, and block legitimate software updates. These actions reflect highly coordinated and persistent threat actor activity.
- Response and Mitigation: Ivanti has released an Integrity Checker Tool (ICT) to help customers detect compromises. Affected organizations are urged to patch systems, perform factory resets if compromised, and refrain from exposing devices to the internet.
Go Deeper -> Ivanti Warns Hackers are Exploiting New Vulnerability – The Record
Hackers are Exploiting a New Ivanti VPN Security Bug to Hack into Company Networks – Tech Crunch