On January 8th, 2025, Ivanti, a Utah-based IT software company, released an advisory addressing two significant stack-based buffer overflow vulnerabilities, CVE-2025-0282 and CVE-2025-0283; these vulnerabilities affect Ivanti Connect Secure, Policy Secure & ZTA Gateways products. CVE-2025-0282 has been since found to be exploited in the wild since December 2024. This is yet another exploited flaw within Ivanti’s infrastructure.
The Vulnerabilities
Although both flaws are stack-based buffer overflows, and both affect Ivanti Connect Secure, Policy Secure & ZTA Gateways products, there are some differences.
CVE-2025-0282
CVE-2025-0282 is considered a critical vulnerability, receiving a CVSS v3 score of 9.0. It allows unauthenticated attackers to remotely execute arbitrary code on the affected systems. Due to the remote nature of this flaw and the lack of any need for authentication, this issue is particularly dangerous and easy to exploit. However, because this vulnerability is version-specific, attackers must use reconnaissance to determine the appliance version before exploiting it. Researchers have seen this flaw under active exploitation, making it even more critical to address.
The following versions have been affected:
- Ivanti Connect Secure: 22.7R2 through 22.7R2.4
- Ivanti Policy Secure: 22.7R1 through 22.7R1.2
- Ivanti Neurons for ZTA Gateways: 22.7R2 through 22.7R2.3
CVE-2025-0283
CVE-2025-0283 was classified as high severity, receiving a CVSS v3 score of 7.0. It also involves a stack-based buffer overflow, but the nature of this flaw is local, and the attacker must be authenticated to escalate their privileges on the affected systems. Even though it does not pose as immediate of a risk as CVE-2025-0282, it poses a serious danger to enterprises where local access is possible. Currently, there is no indication of any exploitation.
The following versions have been affected:
• Ivanti Connect Secure: 9.1R18.9 and prior, and 22.7R2.4 and prior
• Ivanti Policy Secure: 22.7R1.2 and prior
• Ivanti Neurons for ZTA Gateways: 22.7R2.3 and prior
The Attack
The initial advisory publication disclosed that one of the vulnerabilities had been actively exploited. Although CVE-2025-0282 affects three products, only Ivanti Connect Secure appliances were found to be exploited. This four-phase attack can be implemented by overloading the appliance’s memory buffer with specifically constructed inputs that force the device to overwrite important memory regions. Attackers may then be able to take complete control of the machine, conduct inspections, install malware, and possibly compromise networks downstream.
The exploitation of CVE-2025-0282 and the proof of concept (PoC) have been widely reported by many cybersecurity companies, such as Palo Alto Networks or Mandiant. This zero-day issue has been used in attacks to penetrate internal networks. Some of the post-exploitation tactics that were observed bear a resemblance to those executed in the previous campaigns targeting older Ivanti vulnerabilities. The definite number of threat actors targeting this vulnerability remains uncertain, but, according to Censys, there were more than thirty thousand Ivanti Connect Secure instances that were exposed. However, they were not necessarily vulnerable to exploitation. Ivanti did not disclose how many customers are still vulnerable or have been impacted from active exploitation.
Current Solutions
Along with the publication of these vulnerabilities, Ivanti has released urgent security patches to prevent potential breaches. Users are recommended to apply these as soon as possible to eliminate the threat.
To determine any signs of compromise in Connect Secure, Ivanti recommends using its Integrity Checker Tool (ICT). If an attacker has restored the device to a clean state, ICT might not be able to identify risks, even though it can give a snapshot of the equipment’s present condition. If ICT scans show compromise, Ivanti advises reinstalling the appliance using version 22.7R2.5 and doing a factory reset to get rid of the malware.
Although no signs of exploitations were discovered other than in Connect Secure, customers using Policy Secure are encouraged to update their installation to version 22.7R1.3 to mitigate potential threats. Per Ivanti’s advisory, Neurons for ZTA Gateways cannot be exploited when in production; however, upgrading is still recommended. Its users should install version 22.8R2. Those running a cloud service received an automated update on January 18th, 2025.
How can Skybox help?
The Skybox Research Lab added the exploited vulnerability to our threat intelligence feed the day after the vendor made it public. Its status in the feed was adjusted on the same day in accordance with the discovery that it is exploited in the wild. The other vulnerability was also integrated into our threat intelligence feed.
Customers of Skybox who have Ivanti Connect Secure, Policy Secure or ZTA Gateways integrated in their network can use the vulnerability discovery features of the Skybox Skybox Vulnerability and Threat Management solution to find the vulnerabilities. They will also be notified of the number of vulnerability occurrences within their organization as well as the degree of exposure of each asset to the relevant attack vector. In the event that patching is not going to happen soon, Skybox also suggests compensating security measures, including an IPS signature or software update, to reduce exposure risk on the customer’s network.
In order to help the organization’s security team decide how best to protect itself, a customized risk score and a prioritization of the most critical threats will be provided. These will be based on the significance of Ivanti Connect Secure, Policy Secure & ZTA Gateways in the organizational network as well as other factors, such as the overall CVSS scores for CVE-2025-0282 and CVE-2025-0283.
Skybox’s threat intelligence team is going to keep a close eye on any updates about these flaws and update the threat intelligence feed with any information that may be useful for clients making risk management decisions.
