{"id":1449,"date":"2025-01-08T23:52:52","date_gmt":"2025-01-08T23:52:52","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1449"},"modified":"2025-01-08T23:52:52","modified_gmt":"2025-01-08T23:52:52","slug":"ivanti-warns-critical-rce-flaw-in-connect-secure-exploited-as-zero-day","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1449","title":{"rendered":"Ivanti warns critical RCE flaw in Connect Secure exploited as zero-day"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>IT software provider Ivanti released patches Wednesday for its Connect Secure SSL VPN appliances to address two memory corruption vulnerabilities, one of which has already been exploited in the wild as a zero-day to compromise devices.<\/p>\n<p>The exploited vulnerability, tracked as CVE-2025-0282, is a stack-based buffer overflow rated as critical with a CVSS score of 9.0. The flaw can be exploited without authentication to achieve remote code execution and impacts Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways.<\/p>\n<p>The second vulnerability, CVE-2025-0283, is also a stack-based buffer overflow impacting the same products but requires authentication to exploit and can only lead to privilege escalation. It\u2019s rated as high severity with a CVSS score of 7.0.<\/p>\n<p>According to <a href=\"https:\/\/forums.ivanti.com\/s\/article\/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US\">Ivanti\u2019s advisory<\/a>, CVE-2025-0282 was exploited in \u201ca limited number of customers\u2019 Ivanti Connect Secure appliances\u201d but the company is not aware of in-the-wild exploitation against Ivanti Policy Secure and Ivanti Neurons for ZTA gateways yet.<\/p>\n<p>As for CVE-2025-0283, that vulnerability was discovered internally while investigating CVE-2025-0282, and there\u2019s no evidence that it has been exploited. The flaws do not need to be chained for a successful attack.<\/p>\n<p>For now, patches are available only for Ivanti Connect Secure, with patches for Policy Secure and Neurons planned for Jan. 21. That\u2019s more than enough time for the patches to be reverse engineered and for proof-of-concept exploits to be developed and adopted by attackers.<\/p>\n<p>However, Ivanti points out that Policy Secure is not supposed to be exposed to the internet, lowering the risk. It advises all customers to make sure the appliance is configured according to official recommendations.<\/p>\n<p>Meanwhile, Neurons ZTA gateways cannot be exploited in production when connected to a ZTA controller. Only gateways generated and left unconnected are at risk of exploitation.<\/p>\n<p>For Connect Secure the company advises customers to upgrade to version 22.7R2.5 and to perform scans with the internal and the external Integrity Checker Tool (ICT), which should detect signs of compromise.<\/p>\n<p>\u201cFactory reset on appliances with a clean ICT scan is recommended before putting 22.7R2.5 in production out of an abundance of caution,\u201d the company said.<\/p>\n<p>The CVE-2025-0283 vulnerability impacts both the 22.x and 9.x versions of Connect Secure, althought the 9.x branch, which reached end-of-life on Dec. 31, will not receive a patch. The CVE-2025-0282 flaw impacts only the 22.x branch.<\/p>\n<p>\u201cThreat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix,\u201d the company said in <a href=\"https:\/\/www.ivanti.com\/blog\/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways\">a blog post<\/a>. \u201cWe continue to work closely with affected customers, external security partners, and law enforcement agencies as we respond to this threat. We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.\u201d<\/p>\n<p>The company credits Google\u2019s Mandiant and Microsoft\u2019s Threat Intelligence Center (MSTIC) for collaborating in the response, so it\u2019s possible more details about the attacks that exploited the vulnerability will be released at a later date by these companies as has happened in the past.<\/p>\n<p>This is just the latest of <a href=\"https:\/\/www.csoonline.com\/article\/1290205\/chinese-hackers-exploit-ivanti-vpn-zero-days-for-rce-attacks.html\">several<\/a> <a href=\"https:\/\/www.csoonline.com\/article\/2156359\/fortinet-ivanti-zero-day-victims-face-evolved-persistence-by-the-espionage-actor.html\">vulnerabilities<\/a> in Ivanti products <a href=\"https:\/\/www.csoonline.com\/article\/1307425\/attackers-target-new-ivanti-xxe-vulnerability-days-after-patch.html\">exploited<\/a> <a href=\"https:\/\/www.csoonline.com\/article\/3520876\/newly-patched-ivanti-csa-flaw-under-active-exploitation.html\">in the wild<\/a> as zero days by APT groups over the past year. In February 2024, the US government went so far as to <a href=\"https:\/\/www.csoonline.com\/article\/1303522\/us-government-agencies-ordered-to-take-ivanti-vpn-product-offline.html\">order agencies to take Ivanti VPNs offline<\/a>.<\/p>\n<p>The company has not publicly released indicators of compromise observed for this latest exploit but said such information will be shared on request with customers that have confirmed impact with the ICT scans.<\/p>\n<p><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>IT software provider Ivanti released patches Wednesday for its Connect Secure SSL VPN appliances to address two memory corruption vulnerabilities, one of which has already been exploited in the wild as a zero-day to compromise devices. The exploited vulnerability, tracked as CVE-2025-0282, is a stack-based buffer overflow rated as critical with a CVSS score of [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1450,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1449","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1449"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1449"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1449\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1450"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}