Ivanti Flaw CVE-2025-0282 Under Active Exploitation

Ivanti Flaw CVE-2025-0282 Under Active Exploitation

Critical Security Flaw in Ivanti Products Under Active Exploitation: What You Need to Know

Ivanti has issued an urgent warning regarding a critical security flaw impacting its products, including Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This vulnerability, identified as CVE-2025-0282, has been under active exploitation since mid-December 2024, posing significant risks to affected systems. With a CVSS score of 9.0, this stack-based buffer overflow vulnerability allows for unauthenticated remote code execution, making it essential for organizations to address it immediately.

In addition to CVE-2025-0282, Ivanti has also patched another high-severity vulnerability, CVE-2025-0283, which permits privilege escalation for locally authenticated attackers. This article will delve into the details of these vulnerabilities and what organizations should do to protect themselves.

Overview of Vulnerabilities

  • CVE-2025-0282:

    • Affects Ivanti Connect Secure versions 22.7R2 through 22.7R2.4
    • Affects Ivanti Policy Secure versions 22.7R1 through 22.7R1.2
    • Affects Ivanti Neurons for ZTA gateways versions 22.7R2 through 22.7R2.3
    • CVSS Score: 9.0 (Critical)
  • CVE-2025-0283:
    • Affects Ivanti Connect Secure versions 22.7R2.4 and prior, 9.1R18.9 and prior
    • Affects Ivanti Policy Secure versions 22.7R1.2 and prior
    • Affects Ivanti Neurons for ZTA gateways versions 22.7R2.3 and prior
    • CVSS Score: 7.0 (High)

Active Exploitation and Threat Actor Activity

Ivanti has confirmed that a limited number of its customers have fallen victim to exploitation through CVE-2025-0282. The cybersecurity firm Mandiant has linked these attacks to a sophisticated threat actor known as UNC5337, associated with a China-nexus group. Mandiant’s investigation revealed the deployment of the SPAWN malware ecosystem, along with new strains of malware such as DRYHOOK and PHASEJAM.

What Makes CVE-2025-0282 Dangerous?

The exploitation process for CVE-2025-0282 involves several steps designed to disable security measures and facilitate further attacks. Key actions include:

  • Disabling SELinux
  • Preventing syslog forwarding
  • Executing scripts to drop web shells
  • Modifying log entries to cover tracks

Mandiant researchers have outlined the threats posed by the PHASEJAM malware, which can insert web shells into critical files, block system upgrades, and execute arbitrary commands.

Recommended Actions for Organizations

In light of these vulnerabilities, organizations should take the following steps:

  1. Patch Affected Systems: Upgrade to Ivanti versions 22.7R2.5 or later for Connect Secure, Policy Secure, and ZTA Gateways.
  2. Scan for Compromise: Utilize tools to scan your environment for signs of exploitation or unusual behavior.
  3. Report Incidents: If any anomalous activity is detected, report it immediately to appropriate authorities.

Conclusion

The active exploitation of CVE-2025-0282 highlights the urgent need for organizations to remain vigilant and proactive in their cybersecurity efforts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by January 15, 2025.

For further insights and updates on cybersecurity threats, follow us on Twitter and LinkedIn. Have you experienced any issues related to these vulnerabilities? Share your thoughts in the comments below!

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *