Full Report
Ivanti customers are urged to patch two new bugs in the security vendor's products, one of which is being actively exploited
Analysis Summary
# Vulnerability: Critical Ivanti Connect Secure Zero-Day RCE and Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-0282, CVE-2025-0283
- CVSS Score: 9.0 (Critical) for CVE-2025-0282; Severity for CVE-2025-0283 not explicitly stated, but implies high risk given the context.
- CWE: Stack-based buffer overflow (Implied for both flaws)
## Affected Systems
- Products: Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways
- Versions:
- Ivanti Connect Secure: Before version 22.7R2.5
- Ivanti Policy Secure: Before version 22.7R1.2
- Ivanti Neurons for ZTA gateways: Before version 22.7R2.3
- Configurations: Applicable to appliances running these versions.
## Vulnerability Description
The advisory details two distinct stack-based buffer overflow vulnerabilities discovered by researchers at Microsoft and Google Mandiant:
1. **CVE-2025-0282 (Critical Zero-Day):** Allows for unauthenticated Remote Code Execution (RCE).
2. **CVE-2025-0283:** Allows a local authenticated attacker to escalate privileges.
## Exploitation
- Status: **Exploited in the wild** (Specific to CVE-2025-0282, targeting Ivanti Connect Secure appliances). No exploitation reported for CVE-2025-0283 or for CVE-2025-0282/0283 on Policy Secure or ZTA gateways at the time of disclosure.
- Complexity: Low, especially for CVE-2025-0282 due to unauthenticated RCE potential.
- Attack Vector: Network (Implied for unauthenticated RCE of CVE-2025-0282); Local for CVE-2025-0283.
## Impact
- Confidentiality: High (Implied by RCE capability)
- Integrity: High (Implied by RCE capability)
- Availability: High (Implied by RCE capability)
## Remediation
### Patches
Patches are currently available **only for Ivanti Connect Secure**:
- Update Ivanti Connect Secure to version **22.7R2.5** or later.
**Note:** Fixes for Ivanti Policy Secure and Ivanti Neurons for ZTA gateways are expected by January 21st.
### Workarounds
Immediate actions recommended by NCSC/CISA and Ivanti:
1. **For CVE-2025-0282 on Connect Secure:** If exploitation is suspected, perform a factory reset and install the latest security update.
2. **Policy Secure:** Ensure the appliance is configured correctly and **not exposed to the internet**.
3. **ZTA Gateways:** These cannot be exploited when in production, *unless* a gateway is generated but left unconnected to a ZTA controller, creating a risk of exploitation on the standalone gateway.
## Detection
- **Detection Tool:** Run Ivanti’s **Integrity Checker Tool (ICT)** specifically to detect exploitation of CVE-2025-0282.
- **Action upon Discovery:** If compromise is confirmed, report immediately to the relevant national cybersecurity authority (NCSC/CISA).
- **General Strategy:** Perform continuous monitoring and threat hunting on affected systems.
## References
- Vendor Advisory: forums dot ivanti dot com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US
- News Context: infosecurity-magazine dot com/news/critical-ivanti-zeroday-exploited/