Ivanti Connect Secure VPN Actively Being Exploited in the Wild
Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.
As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.
Summary
| OEM | Ivanti |
| Severity | Critical |
| CVSS | 9.0 |
| CVEs | CVE-2025-0282, CVE-2025-0283 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Stack-Based Buffer Overflow Vulnerability | CVE-2025-0282 | Ivanti | Critical | 22.7R2 through 22.7R2.4 22.7R1 through 22.7R1.2 22.7R2 through 22.7R2.3 |
| Stack-Based Buffer Overflow Vulnerability | CVE-2025-0283 | Ivanti | High | 22.7R2.4 and prior 9.1R18.9 and prior 22.7R1.2 and prior 22.7R2.3 and prior |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-0282 | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. | RCE, System compromise, Data theft, Network breaches, and Service disruptions. |
| CVE-2025-0283 | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges | Allow Local Authenticated Attackers to Escalate Privileges. |
Remediation:
- Ensure that the appropriate patches or updates are applied to the relevant Ivanti
- Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.
versions as listed below:
| Affected Version(s) | Fixes and Releases |
| 22.7R2 through 22.7R2.4 | 22.7R2.5 |
| 22.7R2.4 and prior, 9.1R18.9 and prior | 22.7R2.5 |
| 22.7R2 through 22.7R2.3 | 22.7R2.5, Patch planned availability Jan. 21 |
| 22.7R2.3 and prior | 22.7R2.5, Patch planned availability Jan. 21 |
| 22.7R1 through 22.7R1.2 | Patch planned availability Jan. 21 |
| 22.7R1.2 and prior | Patch planned availability Jan. 21 |
- Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security.
- Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools.
- Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025.
- Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025.
General Recommendation
- Regularly update software and systems to address known vulnerabilities.
- Implement continuous monitoring to identify any unauthorized access or suspicious activities.
- Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces.
- Create and Maintain an incident response plan to quickly mitigate the impact of any security breach.
References:
