Ivanti has disclosed a critical security vulnerability (CVE-2025-0282) affecting multiple products, including Connect Secure, Policy Secure, and ZTA Gateways. The flaw, which carries a severe CVSS score of 9.0, has been actively exploited since mid-December 2024.
The vulnerability, a stack-based buffer overflow, enables unauthenticated remote code execution in systems running versions prior to 22.7R2.5. Additionally, a high-severity vulnerability (CVE-2025-0283) allowing privilege escalation was also identified.
Affected Products and Versions:
– Ivanti Connect Secure (22.7R2 through 22.7R2.4)
– Ivanti Policy Secure (22.7R1 through 22.7R1.2)
– Ivanti Neurons for ZTA gateways (22.7R2 through 22.7R2.3)
Investigation Findings:
Mandiant’s analysis revealed the deployment of sophisticated malware families:
– SPAWN ecosystem
– DRYHOOK credential harvester
– PHASEJAM web shell installer
The attacks have been attributed to UNC5337, a China-linked threat actor. The exploitation process involves:
– Disabling SELinux
– Blocking system logs
– Installing web shells
– Establishing persistence
– Network reconnaissance
– Credential theft
Response and Mitigation:
– CISA has added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog
– Federal agencies must patch by January 15, 2025
– Organizations are advised to scan for compromise indicators
– Ivanti has released patches in version 22.7R2.5