Ivanti has issued patches for two vulnerabilities found in Connect Secure. The first vulnerability is a critical zero-day remote code execution vulnerability that threat actors are actively exploiting in the wild to deploy malware. The first case of exploitation happened in the middle of December. Ivanti identified the vulnerability when the Ivanti Integrity Checker Tool (ICT) identified malware on users’ devices. The malware was deployed after exploiting an earlier unidentified remote code execution vulnerability tracked as CVE-2025-0282 with an assigned CVSS severity score of 9.0.
The second vulnerability is a critical stack buffer overflow vulnerability. Threat actors only seem to exploit this vulnerability to breach Ivanti Connect Secure appliances. The vulnerability impacts the following Ivanti products:
- Ivanti Neurons for ZTA Gateways (versions 22.7R2 up to 22.7R2.3)
- Ivanti Connect Secure (Pulse Secure) VPN appliances (versions 22.7R2 up to 22.7R2.5)
- Ivanti Policy Secure (versions 22.7R1 up to 22.7R1.2)
Ivanti patched a second stack buffer overflow vulnerability, even though it is not presently exploited. This vulnerability with a CVSS severity score of 7.0 is monitored as CVE-2025-0283. The vulnerability impacts the following products:
- Ivanti Connect Secure 22.7R2.4 and earlier versions
- Ivanti Connect Secure 9.1R18.9 and earlier versions
- Ivanti Neurons for ZTA Gateways 22.7R2.3 and earlier versions
- Ivanti Policy Secure 22.7R1.2 and earlier versions
Ivanti has issued a patch to resolve the two vulnerabilities on its Connect Secure devices and clients or users are informed to upgrade their firmware version to 22.7R2.5 immediately to avoid exploitation. External and internal ICT scans must be performed before upgrading to the newest version. When there are observed signs of a breach, perform a factory reset before updating to the patched version in order to eliminate any malware. Even if the ICT scans are clean, perform a factory reset before upgrading as a safety measure.
Patches are scheduled to be introduced on January 21, 2025, to resolve the vulnerabilities on Ivanti Policy Secure as well as Ivanti Neurons for ZTA Gateways (v 22.7R2.5). Because Ivanti Policy Secure is not accessible from the Internet, there is a lower chance of vulnerability exploitation. The vulnerability on Ivanti Neurons for ZTA Gateways cannot be exploited as well if in the manufacturing stage. Nevertheless, Ivanti has cautioned that when a gateway for the solution is produced and not linked to a ZTA controller, it’s possible to exploit the vulnerability of the created gateway.
Mandiant is helping Ivanti handle response and recovery. According to Mandiant, a China-nexus threat group known as UNC5337 is exploiting a few malware deployed on the appliances. However, multiple threat actors might be deploying the malware. Mandiant explains that after taking advantage of the vulnerability and setting up malware, the threat actor attempts to remove log entries within the victims’ systems, do network tunneling, and perform credential mining. In certain instances, the threat actor has misled the HIPAA IT staff into believing they were able to upgrade their system by presenting a bogus upgrade notice after deploying malware to stop reliable system enhancements.