Patch management

Ivanti Connect Secure VPN Actively Being Exploited in the Wild 

Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.

As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.

Summary 

OEM Ivanti  
Severity Critical 
CVSS 9.0 
CVEs CVE-2025-0282, CVE-2025-0283  
Exploited in Wild  Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another  Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Stack-Based Buffer Overflow Vulnerability  CVE-2025-0282 Ivanti Critical 22.7R2 through 22.7R2.4  22.7R1 through 22.7R1.2  22.7R2 through 22.7R2.3  
Stack-Based Buffer Overflow Vulnerability CVE-2025-0283  Ivanti High 22.7R2.4 and prior 9.1R18.9 and prior  22.7R1.2 and prior 22.7R2.3 and prior  

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-0282  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.  RCE, System compromise, Data theft, Network breaches, and Service disruptions.  
CVE-2025-0283  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges Allow Local Authenticated Attackers to Escalate Privileges. 

Remediation

  • Ensure that the appropriate patches or updates are applied to the relevant Ivanti 
  • Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.

versions as listed below: 

Affected Version(s) Fixes and Releases 
22.7R2 through 22.7R2.4  22.7R2.5  
22.7R2.4 and prior,  9.1R18.9 and prior  22.7R2.5  
22.7R2 through 22.7R2.3  22.7R2.5, Patch planned availability Jan. 21  
22.7R2.3 and prior  22.7R2.5, Patch planned availability Jan. 21  
22.7R1 through 22.7R1.2  Patch planned availability Jan. 21  
22.7R1.2 and prior  Patch planned availability Jan. 21  
  • Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security. 
  • Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools. 
  • Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025. 
  • Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025. 

General Recommendation 

  • Regularly update software and systems to address known vulnerabilities. 
  • Implement continuous monitoring to identify any unauthorized access or suspicious activities. 
  • Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces. 
  • Create and Maintain an incident response plan to quickly mitigate the impact of any security breach. 

References: 

Re-release of November 2024 Exchange Server Security Updates

Microsoft users had a tough time to send or load attachments to emails when using Outlook, were unable to connect to the server, and in some cases could not log into their accounts.

Microsoft Exchange Online is a platform for business communication that has a mail server and cloud apps for email, contacts, and calendars.

Microsoft mitigated the issue after identification were able to determine the cause of the outages and is rolling out a fix for the issue. That rollout is gradual, however, as outage reports continue to come in at DownDetector.

Impact

The outage left many users unable to communicate with colleagues, particularly as it coincided with the start of the workday in Europe. Frustration quickly spread across social media, with users reporting issues accessing emails and participating in Teams calls

Re-release of November 2024 Exchange Server Security Updates 

Summary 

OEM Microsoft 
Severity High 
Date of Announcement 27/11/2024 
Product Microsoft Exchange Server 
CVE ID CVE-2024-49040 
CVSS Score 7.5 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

On November 27, 2024, Microsoft re-released the November 2024 Security Updates (SUs) for Exchange Server to resolve an issue introduced in the initial release on November 12, 2024. The original update (SUv1) caused Exchange Server transport rules to intermittently stop functioning, particularly in environments using transport or Data Loss Protection (DLP) rules. The updated version (SUv2) addresses this issue. 

Table of Actions for Admins: 

Scenario Action Required 
SUv1 installed manually, and transport/DLP rules are not used Install SUv2 to regain control over the X-MS-Exchange-P2FromRegexMatch header. 
SUv1 installed via Windows/Microsoft Update, no transport/DLP rules used No immediate action needed; SUv2 will be installed automatically in December 2024. 
SUv1 installed and then uninstalled due to transport rule issues Install SUv2 immediately. 
SUv1 never installed Install SUv2 immediately. 

Remediation Steps 

1. Immediate Actions 

  • Use the Health Checker script to inventory your Exchange Servers and assess update needs. 
  • Install the latest Cumulative Update (CU) followed by the November 2024 SUv2. 

2. Monitor System Performance 

  • After enabling AMSI integration for message bodies, monitor for any performance issues such as delays in mail flow or server responsiveness. 

3. Run SetupAssist Script for Issues 

  • Use the SetupAssist script to troubleshoot issues with failed installations or update issues, and check logs for specific error details. 

References

Scroll to top