Full Report
Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024. The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2
Analysis Summary
# Vulnerability: Ivanti Connect Secure/Policy Secure/ZTA Gateways Stack-Based Buffer Overflow Leading to RCE (CVE-2025-0282)
## CVE Details
- CVE ID: CVE-2025-0282
- CVSS Score: 9.0 (Critical)
- CWE: Stack-based Buffer Overflow (Implied, stated in description)
## Affected Systems
- Products: Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA Gateways
- Versions:
- **Ivanti Connect Secure:** Before version 22.7R2.5 (Specifically noted: 22.7R2 through 22.7R2.4)
- **Ivanti Policy Secure:** Before version 22.7R1.2 (Specifically noted: 22.7R1 through 22.7R1.2)
- **Ivanti Neurons for ZTA Gateways:** Before version 22.7R2.3 (Specifically noted: 22.7R2 through 22.7R2.3)
- Configurations: No specific configuration details mentioned other than the product type (Gateways).
## Vulnerability Description
CVE-2025-0282 is a critical stack-based buffer overflow vulnerability that allows for unauthenticated remote code execution (RCE) against the affected Ivanti gateway products. Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code with high privileges.
The article also mentions a secondary vulnerability, **CVE-2025-0283** (CVSS 7.0), which allows a locally authenticated attacker to escalate privileges.
## Exploitation
- Status: **Exploited in the wild** (Identified actively exploiting since mid-December 2024).
- Complexity: Implied Low/Medium given the unauthenticated RCE nature, though the observed exploitation chain is complex.
- Attack Vector: Network (Remote, Unauthenticated).
### Post-Exploitation Details (Observed for CVE-2025-0282)
The exploitation chain observed by Mandiant involves sophisticated steps to achieve persistence and maintain access, including:
1. Disabling SELinux and preventing syslog forwarding.
2. Remounting the drive as read-write.
3. Executing scripts to drop web shells (into `getComponent.cgi` and `restAuth.cgi`).
4. Modifying system upgrade blocking mechanisms (`DSUpgrade.pm`).
5. Overwriting the `remotedebug` executable for arbitrary command execution.
6. Deploying malware components (SPAWN ecosystem, DRYHOOK, PHASEJAM).
7. Employing tunneling utilities (SPAWNMOLE) for C2 communication.
8. Lateral movement via LDAP and SMB/RDP after stealing session credentials/keys from VPN application caches.
## Impact
- Confidentiality: High (Data theft, credential harvesting).
- Integrity: High (Arbitrary code execution, modification of system files, deployment of malware).
- Availability: Medium (Disruption possible during exploitation/cleanup, though persistence mechanisms aim to maintain core service availability for C2).
## Remediation
### Patches
Ivanti has released fixes addressing both vulnerabilities, consolidated into the minimum versions:
- **Ivanti Connect Secure:** Upgrade to version **22.7R2.5** or later.
- **Ivanti Policy Secure:** Upgrade to version **22.7R1.2** or later.
- **Ivanti Neurons for ZTA Gateways:** Upgrade to version **22.7R2.3** or later.
*(Note: CVE-2025-0283 fixes are included in these same subsequent versions).*
### Workarounds
No specific, official workarounds were detailed in the excerpt, but immediate patching is heavily implied due to active exploitation and CISA KEV inclusion.
## Detection
- **Indicators of Compromise (IOCs):**
- Presence of related malware artifacts (SPAWN, DRYHOOK, PHASEJAM).
- File modifications in critical areas, especially web shell droppers in `getComponent.cgi` and `restAuth.cgi`.
- Anomalies in system upgrade processes or configuration changes (e.g., modification of `DSUpgrade.pm`).
- Execution of internal reconnaissance tools (`nmap`, `dig`) or lateral movement attempts from the gateway device.
- **Detection Methods and Tools:**
- Utilize Ivanti's **Integrity Checker Tool (ICT)**, which successfully identified initial activity.
- Deep scanning for file hash matches related to the identified malware.
- Monitoring for outbound network connections on non-standard ports from the gateway device, potentially utilizing tunneling utilities.
- CISA has added CVE-2025-0282 to the **Known Exploited Vulnerabilities (KEV) Catalog**, mandating monitoring against this specific identifier.
## References
- Vendor Advisory: [forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US] (defanged)
- Mandiant Investigation: [cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day] (defanged)
- CISA KEV Addition: [www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalog] (defanged)
- CISA Urging Action: [www.cisa.gov/news-events/alerts/2025/01/08/ivanti-releases-security-updates-connect-secure-policy-secure-and-zta-gateways] (defanged)