Skip to content
· 4 min read CRITICAL CVE-2025-0282 @Sdmrf

Ivanti Connect Secure Under Mass Exploitation - What We Know So Far

Critical authentication bypass vulnerabilities in Ivanti's VPN appliances are being actively exploited. Here's the timeline, technical details, and what you should do right now.

#ivanti #vpn #cve #exploitation #patch-now
On this page

If you’re running Ivanti Connect Secure, Policy Secure, or Neurons for ZTA gateways - stop reading and start patching. Seriously.

The Short Version

Two vulnerabilities dropped this month affecting Ivanti’s VPN products:

  • CVE-2025-0282 - Stack-based buffer overflow allowing unauthenticated RCE (CVSS 9.0)
  • CVE-2025-0283 - Privilege escalation for authenticated users (CVSS 7.0)

The first one is already being exploited in the wild. Mandiant and Volexity have both confirmed active exploitation dating back to mid-December 2024 - weeks before public disclosure.

Why This Matters

Ivanti’s VPN products sit at the network edge, handling remote access for thousands of enterprises. We’ve seen this movie before:

  • January 2024: CVE-2024-21887 and CVE-2023-46805 led to CISA issuing an emergency directive
  • February 2024: CISA ordered all federal agencies to disconnect Ivanti products
  • Throughout 2024: Multiple additional vulnerabilities discovered during incident response

Now we’re back for round two.

Technical Details

The CVE-2025-0282 vulnerability exists in the web component’s handling of certain requests. An unauthenticated attacker can send a crafted request that triggers a stack buffer overflow, leading to code execution with root privileges.

What makes this particularly nasty:

  1. No authentication required - Just network access to the appliance
  2. Pre-auth exploitation - Attackers don’t need valid credentials
  3. Root-level access - Full control of the gateway
  4. Difficult to detect - Exploitation can be stealthy

From what we’re seeing in the wild, attackers are:

  • Deploying webshells for persistent access
  • Harvesting credentials from VPN sessions
  • Using compromised gateways as pivot points into internal networks
  • Deploying the SPAWNMOLE tunneler malware family

Affected Versions

ProductVulnerable VersionsFixed Version
Connect Secure22.7R2.5 and earlier22.7R2.6
Policy Secure22.7R1.2 and earlier22.7R1.3
Neurons for ZTA22.7R2.3 and earlier22.7R2.4

What To Do Right Now

1. Check if you’re compromised

Ivanti released an Integrity Checker Tool (ICT). Run it. But don’t fully trust it - sophisticated attackers have been known to tamper with integrity checking mechanisms.

# Download the external ICT
# Run against your appliances
# Look for unexpected files in web directories

Look for:

  • Unexpected files in /home/webserver/ directories
  • Modified system binaries
  • Unusual outbound connections
  • New cron jobs or startup scripts

2. Patch immediately

If your version is affected, patch now. Not tomorrow. Now.

3. Assume breach if you were exposed

If your appliances were internet-facing and running vulnerable versions between December 2024 and now, assume compromise. This means:

  • Full credential rotation for VPN users
  • Review VPN session logs for anomalies
  • Check for lateral movement in your environment
  • Consider forensic analysis of the appliances

4. Network segmentation

Your VPN gateway shouldn’t have unfettered access to everything. Limit what authenticated VPN users can reach, and especially limit what the gateway itself can access.

The Bigger Picture

We need to talk about the edge device problem.

VPNs, firewalls, and other network appliances are increasingly becoming the initial access vector of choice for sophisticated attackers. Why?

  • They’re internet-facing by design
  • They often run on proprietary or locked-down operating systems
  • Traditional EDR doesn’t cover them
  • Visibility into their internals is limited
  • They handle authentication - compromise = credential access

This is the third major Ivanti VPN exploitation campaign in 13 months. At some point, organizations need to ask whether the risk of these perimeter devices outweighs their benefits.

Zero Trust architectures that eliminate the VPN entirely are looking more attractive by the day.

IOCs

Mandiant has published IOCs including:

  • SPAWNMOLE tunneler hashes
  • Webshell paths and filenames
  • C2 infrastructure

Check their blog for the full list. I’m not reproducing them here because they’ll be outdated by the time you read this.

Timeline

  • Dec 2024: Exploitation begins (per Mandiant)
  • Jan 8, 2025: Ivanti releases advisory and patches
  • Jan 9, 2025: CISA adds to KEV catalog
  • Jan 10, 2025: Mass scanning observed
  • Jan 15, 2025: Exploit code circulating privately
  • Jan 22, 2025: This post

References

Another year, another VPN zero-day. If your security model depends entirely on a perimeter device, it’s time to rethink that model.

Related Articles

critical·5 min read

The Citrix NetScaler Situation Just Got Worse

Mass exploitation of CVE-2024-8534 is ongoing. Notes from helping clients figure out if they're compromised.

critical·6 min read

HPE OneView's CVSS 10.0: An Unauthenticated API Endpoint That Runs Commands

CVE-2025-37164 is a maximum-severity RCE in HPE OneView. An unauthenticated REST API endpoint executes arbitrary commands. 40,000+ exploit attempts on day one.

critical·6 min read

React2Shell: The CVSS 10.0 That Hit 85,000 Servers

CVE-2025-55182 turned React Server Components into a one-request RCE. Nation-states and criminals moved within hours.