**Update** (January 13, 2025): As of today, we detect 12,335 potentially vulnerable internet-exposed Ivanti Connect Secure instances that show indications of running a version earlier than 22.7R2.5 — about 37% of the total exposed. Only about 120 instances appear to be running the patch. It’s recommended to apply patches for Connect Secure and mitigations for other affected products as soon as possible.
Date of Disclosure (source): January 8, 2025
Date Reported as Actively Exploited (source): January 8, 2025
CVE-2025-0282 is a critical vulnerability affecting multiple Ivanti network appliances, including Ivanti Connect Secure (versions before 22.7R2.5), Ivanti Policy Secure (versions before 22.7R1.2), and Ivanti Neurons for ZTA gateways (versions before 22.7R2.3). This is a stack overflow vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code on vulnerable systems.
Disclosed by Ivanti on January 8, 2025, the vulnerability was immediately added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to observed exploitation in the wild. Mandiant and Ivanti are conducting a joint investigation and have detected exploitation going back to mid-December of 2024. Post-exploitation activity has also been observed, including lateral movement and deployment of SPAWN malware on compromised devices. These tactics resemble those used in previous campaigns by potentially China-nexus actors exploiting older Ivanti vulnerabilities such as CVE-2023-46805 and CVE-2024-21887.
The exact number of threat actors targeting this vulnerability remains unclear. Ivanti recommends using its Integrity Checker Tool to identify signs of compromise, and Mandiant’s blog provides additional indicators of compromise (IoCs) for further investigation.
| Field |
Details |
| CVE-ID |
CVE-2025-0282 – CVSS 9.0 (Critical) – assigned by Ivanti |
| Vulnerability Description |
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. |
| Date of Disclosure |
January 8, 2025 |
| Affected Assets |
Affects the following:
- Ivanti Connect Secure
- Ivanti Policy Secure
- Ivanti Neurons for ZTA gateways
|
| Vulnerable Software Versions |
- Ivanti Connect Secure before version 22.7R2.5
- Ivanti Policy Secure before version 22.7R1.2
- Ivanti Neurons for ZTA gateways before version 22.7R2.3
|
| PoC Available? |
At the time of writing, no PoC is publicly available. |
| Exploitation Status |
This vulnerability has been actively exploited going back to at least mid-December 2024, according to Ivanti and Mandiant. Ivanti reported that they are only aware of exploitation in Connect Secure instances, and that they “are not aware of these CVEs being exploited in Ivanti Policy Secure or ZTA gateways.” |
| Patch Status |
Ivanti has provided guidance for remediating Connect Secure in their advisory published on January 8, 2025. They plan to release a fix for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways on January 21, 2025. |
Censys Perspective
As of this writing, Censys has identified 33,542 exposed Ivanti Connect Secure instances (not all of which are necessarily vulnerable). Most of these are located in the United States and Japan, and most do not publicly disclose their software version. Visibility into Policy Secure (which is not internet-facing) and Neurons for ZTA is unavailable.
Map of Exposed Ivanti Connect Secure Instances
Censys Search Query for EXPOSED Instances:
services.software: (vendor="Ivanti" and product="Connect Secure") and not labels: {honeypot, tarpit}
Censys ASM Query for EXPOSED Instances:
host.services.software: (vendor="Ivanti" and product="Connect Secure") and not host.labels: {honeypot, tarpit}
Censys ASM Risk Query for Potentially Vulnerable Instances:
risks.name: "Vulnerable Ivanti Connect Secure Application [CVE-2025-0282 & CVE-2025-0283]"
Note that this risk was recently deployed and results may take 24 hours to fully propagate.
References
