Threats, exploitation, and mitigation of Ivanti’s two critical actively exploited vulnerabilities—CVE-2025-0282 and CVE-2025-0283—affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways.
Overview
On January 8, 2025, Ivanti disclosed two critical vulnerabilities—CVE-2025-0282 and CVE-2025-0283—affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways. These vulnerabilities expose enterprises to unauthenticated remote code execution (RCE) and privilege escalation risks. While Ivanti has released patches to address these issues, threat actor exploitation, particularly of CVE-2025-0282, has prompted a global response.
This blog aims to provide detailed insights into these vulnerabilities and their exploitation, offering valuable guidance for mitigating risks.
A Closer Look at CVE-2025-0282 and CVE-2025-0283
CVE-2025-0282: Remote Code Execution
- Type: Stack-based Buffer Overflow
- Severity: Critical (CVSS Score: 9.0)
- Impact: Enables unauthenticated attackers to execute arbitrary code remotely via the Ivanti Connect Secure appliance.
- Affected Versions:
- Ivanti Connect Secure: Versions prior to 22.7R2.5.
- Ivanti Policy Secure: Versions prior to 22.7R1.2.
- Ivanti Neurons for ZTA Gateways: Versions prior to 22.7R2.3.
This vulnerability is actively being exploited, primarily against Ivanti Connect Secure appliances exposed to the internet. Threat actors use it to achieve remote code execution, enabling deep infiltration into enterprise environments.
Exploitation Process
Threat actors have demonstrated sophisticated exploitation techniques, as observed by Mandiant. The process often includes:
- Identifying the Target Version: Repeated requests to the vulnerable appliance help attackers determine the firmware version.
- Disabling Security Mechanisms: Threat actors disable SELinux and block syslog forwarding to evade detection.
- Writing and Executing Malicious Scripts: Base64-encoded scripts are written to temporary directories and executed to deploy malware.
- Deploying Web Shells: These enable attackers to maintain remote access.
- Erasing Logs: Tools like sed are used to remove traces of exploitation from debug and application logs.
CVE-2025-0283: Privilege Escalation
- Type: Stack-based Buffer Overflow
- Severity: High (CVSS Score: 7.0)
- Impact: Allows local authenticated attackers to escalate privileges.
- Affected Versions: The same versions as CVE-2025-0282.
While CVE-2025-0283 has not been actively exploited, its potential to be chained with other vulnerabilities poses significant risks.
Mitigation
Ivanti released a patch for Connect Secure on January 8, and updates for Policy Secure and ZTA Gateways are slated for January 21.
Malware Deployment and Persistence
Initial attacks leveraged the vulnerability for remote code execution and to drop obfuscated webshell payloads onto compromised systems, according to Mandiant. These webshells enable persistent access and lateral movement within targeted networks.
Key IoCs Identified
- Webshell Samples:
- SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668
- Decoded functionality allowed attackers to execute system commands remotely.
- Attack Vectors:
- Exploitation originated from anonymous VPN services and known malicious IP addresses.
- Common suspicious usernames: SUPPORT87, SUPPOR817, and VPN.
- Post-Exploitation Activities:
- Unauthorized security policy modifications, including opening access from WAN to LAN.
- Deletion of forensic evidence to obscure attack traces.
- Geographic Patterns:
- Concentrated attack origin in Europe, leveraging proxied IP addresses.
Key Threat Actor Activities
Mandiant has linked the exploitation campaign to China-affiliated groups, specifically UNC5337 and UNC5221, using malware families like SPAWN and PHASEJAM.
Here’s how these tools are weaponized:
- SPAWN Family Components:
- SPAWNMOLE: A tunneler that hijacks network connections to establish communication with command-and-control (C2) servers.
- SPAWNSNAIL: An SSH backdoor enabling persistent access.
- SPAWNSLOTH: A log-tampering utility that obfuscates traces of malicious activity.
- PHASEJAM:
- Inserts malicious web shells into Ivanti appliance files like getComponent.cgi.
- Blocks legitimate system upgrades by modifying upgrade scripts.
Anti-Forensics Techniques
Threat actors erase critical logs, such as:
- Kernel messages (dmesg).
- State dumps and core dumps from crashes.
- SELinux audit logs.
These actions complicate incident response and forensic investigations.
CISA, ACSC, and NCSC have classified CVE-2025-0282 as a critical vulnerability, emphasizing its inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Their advisories stress that edge devices like VPNs are prime targets for attackers and require immediate patching.
Detection and Mitigation
Detection
Ivanti said, “Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix.”
Organizations are advised to use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise. However, ICT alone may not detect all malicious activity, especially if attackers have erased traces. Combining ICT results with endpoint detection and response (EDR) tools is crucial.
Mitigation
- Patch Systems:
- Update to Ivanti’s patched firmware versions:
- Connect Secure: 22.7R2.5
- Policy Secure and ZTA Gateways: 22.7R2.5 (available by January 21, 2025)
- Update to Ivanti’s patched firmware versions:
- Reset Credentials:
- Change all passwords for admin and user accounts, including VPN pre-shared keys.
- Reconfigure Security Policies:
- Remove unauthorized rules allowing broad access.
- Monitor Network Activity:
- Continuously monitor logs for unusual behavior or unauthorized access.
- Enforce Network Segmentation:
- Restrict management interfaces to trusted internal IP addresses only.
Key Agency Recommendations
- CISA: Advocates for enhanced monitoring of ICS appliances and swift adoption of fixes.
- ACSC: Warns against delayed patching, highlighting the potential for mass exploitation.
- NCSC: Stresses the importance of layered defenses and regular security assessments.
Best Practices for Enhanced Security
Cyble emphasizes the importance of adopting a proactive security strategy. Key recommendations include:
- Two-Factor Authentication (2FA): Enforce 2FA for all accounts to reduce the risk of unauthorized access.
- Log Monitoring: Use SIEM solutions to track anomalies in real time.
- Incident Response: Maintain a tested and updated incident response plan to mitigate the impact of breaches.
- Limit External Exposure: Disable internet-facing management interfaces wherever possible.
References:
https://www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalog
https://www.ncsc.gov.uk/news/active-exploitation-ivanti-vulnerability
