Ivanti announced on Wednesday that a new vulnerability, CVE-2025-0282, is being actively exploited by hackers in some customer environments.
Our GERT team recently uncovered a sophisticated attack leveraging CVE-2023-48788, exploiting Fortinet FortiClient EMS.
The attackers used advanced TTPs to infiltrate enterprise infrastructures, showcasing the critical need for proactive patch management and vigilant defense.… pic.twitter.com/rUxd5w4nkK
— Kaspersky (@kaspersky) January 7, 2025
The company released information about two bugs affecting several of its products, including Connect Secure, Policy Secure, and ZTA Gateways, which are widely used across government agencies in the U.S. and internationally. Ivanti stated that a patch for Connect Secure is currently available, while patches for Policy Secure and ZTA Gateway are scheduled for release on January 21.
Ivanti Connect Secure users need to read and act on this soonest https://t.co/FfYyRkqC5F Here is Ivantis own advisory https://t.co/saTbcU9UY4
— Alan Woodward (@ProfWoodward) January 8, 2025
The U.K.’s National Cyber Security Centre also issued an advisory warning of “active exploitation” as they investigate cases affecting UK networks. Customers can check for attacks using an Integrity Checker Tool and safely upgrade to the latest software version if no exploitation is found. If exploitation is detected, Ivanti recommends performing a factory reset on the device to eliminate any malware.
The company also urged customers to avoid exposing their devices to the internet. The vulnerabilities were initially discovered by cybersecurity firm Mandiant and experts at Microsoft.
#Ivanti released security updates to address CVE-2025-0282—being actively exploited—and CVE-2025-0283, affecting Connect Secure, Policy Secure, and ZTA Gateways. See our Alert for mitigation guidance to help reduce your exposure: https://t.co/7aNpk5oh73 pic.twitter.com/u42fvgL13H
— CISA Cyber (@CISACyber) January 8, 2025
“We continue to work closely with affected customers, external security partners, and law enforcement agencies as we respond to this threat,” Ivanti said.
Last April, Ivanti faced significant challenges after nation-state actors breached government agency systems using vulnerabilities in Ivanti products. By September, top cybersecurity watchdogs in the U.S. advised either removing or upgrading certain Ivanti appliances no longer being updated and previously exploited in attacks.
Ivanti discloses critical security flaw
Ivanti is warning that CVE-2025-0282, a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways, has come under active exploitation in the wild since mid-December 2024. The vulnerability is a stack-based buffer overflow that could lead to unauthenticated remote code execution. Google-owned Mandiant, which investigated attacks exploiting CVE-2025-0282, observed the deployment of the SPAWN ecosystem of malware across several compromised devices.
The use of SPAWN is attributed to a China-nexus threat actor with medium confidence. The attacks also involved the installation of undocumented malware families dubbed DRYHOOK and PHASEJAM. The exploitation of CVE-2025-0282 involves several steps to disable SELinux, prevent syslog forwarding, remount the drive as read-write, execute scripts to drop web shells, use ‘sed’ to remove specific log entries, re-enable SELinux, and remount the drive.
PHASEJAM, a shell script dropper, is designed to make malicious modifications to Ivanti Connect Secure appliance components. In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2025-0282 to the Known Exploited Vulnerabilities catalog, requiring federal agencies to apply the patches by January 15, 2025. Organizations are also urged to scan their environments for signs of compromise and report any incidents or anomalous activity.
Ivanti has released security patches for Ivanti Connect Secure, resolved in firmware version 22.7R2.5. However, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will not be ready until January 21, 2025. Ivanti recommends all Connect Secure admins conduct both internal and external ICT scans. Even if the scans come up clean, admins should perform a factory reset before upgrading to version 22.7R2.5. If the scans detect a compromise, a factory reset should remove any installed malware before upgraded appliances are put back into production using version 22.7R2.5.
As Ivanti collaborates with Mandiant and the Microsoft Threat Intelligence Center to investigate the attacks, more details on the detected malware are anticipated to be released shortly.
