Full Report
Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025. [...]
Analysis Summary
# Vulnerability: Ivanti Connect Secure Zero-Day Exploited in the Wild
## CVE Details
- CVE ID: Not explicitly provided in the text for the *new* patched zero-day, but the context refers to recent exploitation following previous Ivanti vulnerabilities. **(Note: Specific CVE/CVSS for the actively exploited zero-day is missing in the provided text snippet.)**
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Ivanti Connect Secure (VPN Appliances)
- Versions: Specific vulnerable ranges are not detailed in this excerpt, pending vendor advisory for the newly patched flaw.
- Configurations: Likely impacts internet-facing VPN appliance configurations.
## Vulnerability Description
The article reports that Ivanti patched a new zero-day vulnerability in Ivanti Connect Secure devices which has been actively exploited since mid-March. This flaw is mentioned in the context of previous, related vulnerabilities, such as a buffer overflow that allowed threat actors (linked to state-sponsored activity) to drop malware (Dryhook and Phasejam) onto compromised VPN appliances. The current zero-day is part of a string of critical vulnerabilities that have plagued Ivanti products over the last year.
## Exploitation
- Status: Exploited in the wild (actively exploited since mid-March).
- Complexity: Implied **Medium to High**, given state-sponsored actors are involved in chaining exploits, though the complexity of the *new* flaw itself is not detailed.
- Attack Vector: Primarily **Network** access to the Ivanti appliance.
## Impact
The impact is severe, as successful exploitation has led to the deployment of persistent malware (like webshells such as GIFTEDVISITOR) and potential network breaches, as evidenced by the breach at the MITRE Corporation using older chained Ivanti exploits.
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- **Patches are available** for the newly disclosed zero-day affecting Connect Secure devices. (Specific release versions are not detailed in this summary text.)
- Previous related vulnerabilities have also received patches (e.g., CVE-2023-46805 and CVE-2024-21887).
### Workarounds
- The text implies that users should refer to Ivanti advisories for specific mitigation steps related to the newly patched flaw.
- For older, related vulnerabilities, mitigation steps were previously released, including the application of vendor configuration checks; however, immediate patching is the recommended action for the currently exploited zero-day.
## Detection
- Threat actors associated with state-sponsored activity have used webshells (e.g., GIFTEDVISITOR) in past campaigns against Ivanti products.
- **Detection should focus on monitoring network traffic** to and from Connect Secure appliances for unexpected command execution or file drop indicators associated with known post-exploitation activity following these specific vendor vulnerabilities.
- Organizations are advised to consult CISA and Ivanti advisories for IoCs related to the currently active exploitation campaign.
## References
- [Ivanti patches Connect Secure zero-day exploited since mid-March (bleepingcomputer com /news/security/ivanti-patches-connect-secure-zero-day-exploited-since-mid-march/)](https://www.bleepingcomputer.com/news/security/ivanti-patches-connect-secure-zero-day-exploited-since-mid-march/)
- [Ivanti Connect Secure zero-days now under mass exploitation (bleepingcomputer com /news/security/ivanti-connect-secure-zero-days-now-under-mass-exploitation/)](https://www.bleepingcomputer.com/news/security/ivanti-connect-secure-zero-days-now-under-mass-exploitation/)
- [CISA: Hackers still exploiting older Ivanti bugs to breach networks (bleepingcomputer com /news/security/cisa-hackers-still-exploiting-older-ivanti-bugs-to-breach-networks/)](https://www.bleepingcomputer.com/news/security/cisa-hackers-still-exploiting-older-ivanti-bugs-to-breach-networks/)