Full Report
The .uk registry Nominet has been breached by a recently disclosed zero-day vulnerability in Ivanti products
Analysis Summary
# Vulnerability: Ivanti Connect Secure Stack-Based Buffer Overflow (Zero-Day)
## CVE Details
- CVE ID: CVE-2025-0282
- CVSS Score: 9.0 (Critical)
- CWE: Stack-based buffer overflow
## Affected Systems
- Products: Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways
- Versions:
- Ivanti Connect Secure: Before version 22.7R2.5
- Ivanti Policy Secure: Before version 22.7R1.2
- Ivanti Neurons for ZTA gateways: Before version 22.7R2.3
- Configurations: Affects systems utilizing the vulnerable VPN products.
## Vulnerability Description
The vulnerability is a stack-based buffer overflow bug in Ivanti VPN products. Successful exploitation could lead to unauthenticated Remote Code Execution (RCE). This flaw was exploited as a zero-day against organizations like Nominet prior to public disclosure.
## Exploitation
- Status: Exploited in the wild (Confirmed zero-day usage against Nominet).
- Complexity: Assumed Low/Medium given the unauthenticated RCE outcome and observed exploitation.
- Attack Vector: Network (Leveraging the VPN interface).
## Impact
- Confidentiality: Potential High (RCE allows for full system compromise).
- Integrity: Potential High (RCE allows for data modification or environment tampering).
- Availability: Potential High (RCE could lead to system disruption).
*(Note: The affected registry, Nominet, reported no evidence of data breach or leakage at the time of disclosure, suggesting mitigation steps were effective or exploration was limited.)*
## Remediation
### Patches
- Ivanti Connect Secure: Patch available in version **22.7R2.5** (Released the week prior to Jan 8).
- Ivanti Policy Secure: Patch expected by **January 21**.
- Ivanti Neurons for ZTA gateways: Patch expected by **January 21**.
### Workarounds
- Nominet implemented additional safeguards, including **restricted access to systems from the VPN** while patches were being deployed.
## Detection
- **Indicators of Compromise:** The article implies that suspicious activity was noticed around the week beginning December 30, suggesting network monitoring identified unauthorized intrusion before the official vendor disclosure. Organizations should search logs for indicators related to exploitation targeting the vulnerable VPN components.
- **Detection Methods and Tools:** Standard network and endpoint detection tools capable of analyzing VPN gateway traffic and system behaviors should be prioritized for anomalies related to unauthenticated connection attempts or post-exploitation activities associated with RCE.
## References
- Vendor advisories regarding CVE-2025-0282 (Specific patch/advisory details are implied to be available from Ivanti).
- Relevant event: UK Nominet Breach (Attributed to exploitation of this zero-day).
- Relevant links - defanged:
- hxxps://www.infosecurity-magazine.com/news/critical-ivanti-zeroday-exploited/
- hxxps://www.infosecurity-magazine.com/news/uk-registry-nominet-breached/