Ivanti has confirmed active exploitation of two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, in Ivanti Connect Secure (ICS) VPN appliances. CVE-2025-0282, a zero-day vulnerability, has been exploited since December 2024, enabling unauthenticated remote code execution. According to Mandiant, the ongoing campaign involves multiple malware families and appears to include several threat actors, notably the China-nexus group UNC5337. Ivanti strongly recommends that customers upgrade their ICS appliances to the latest versions to mitigate these vulnerabilities.
What are CVE-2025-0282 and CVE-2025-0283?
CVE-2025-0282
CVE-2025-0282 is an unauthenticated stack-based buffer overflow vulnerability in Ivanti Connect Secure (ICS) VPN appliances, also affecting Policy Secure and Neurons for ZTA Gateways. This vulnerability allows attackers to execute arbitrary code remotely without requiring authentication. Exploitation involves sending specially crafted inputs to the appliance, which overwhelm its memory buffer, causing it to overwrite critical sections of memory. This can lead to full control of the system and allow attackers to deploy malware, perform reconnaissance, and potentially compromise downstream networks. The vulnerability is version-specific and requires attackers to identify the appliance version through reconnaissance before exploitation.
CVE-2025-0283
CVE-2025-0283 is another vulnerability affecting Ivanti Connect Secure appliances, although fewer details have been disclosed about its exact nature as of January 9, 2025. It is likely related to privilege escalation or improper input validation, potentially enabling attackers to amplify their access on already-compromised systems. While less is known about this vulnerability, it is critical to patch as it might be exploited in conjunction with CVE-2025-0282 for more complex attack chains.
Wiz Research data: what’s the risk to cloud environments?
According to Wiz data, less than 1% of cloud enterprise environments are vulnerable to these vulnerabilities.
What sort of exploitation has been identified in the wild?
Exploitation of CVE-2025-0282 has been observed in the wild by Mandiant since December 2024, with attackers leveraging the vulnerability for unauthenticated remote code execution. Attackers begin with reconnaissance by querying specific URLs to determine the ICS appliance version, often originating from VPS providers or Tor networks to mask their identity. Once the version is identified, a crafted payload triggers the stack-based buffer overflow, allowing remote code execution. Attackers modify system settings, such as disabling SELinux and remounting the filesystem, to prepare the appliance for malware deployment. Web shells are injected into legitimate ICS components to establish persistence and remote access. Additional payloads, such as Base64-encoded scripts and ELF binaries, are also deployed.
According to Mandiant, post-exploitation activities include tunneling traffic through the compromised appliance, using tools like nmap and dig for internal reconnaissance, and abusing LDAP service accounts for lateral movement. Sensitive data, such as session cookies, credentials, and API keys, is exfiltrated by archiving and staging the appliance database cache. To evade detection, attackers clear logs, modify system files, and recalculate integrity hashes to bypass Ivanti's Integrity Checker Tool (ICT).
While specific exploitation details for CVE-2025-0283 remain unclear, it likely involves privilege escalation or other methods to enhance the impact of CVE-2025-0282. Some campaigns exploiting these vulnerabilities have been linked to UNC5337, a China-nexus cluster, while others involve unidentified actors using unique malware families termed DRYHOOK and PHASEJAM, suggesting multiple threat actors are exploiting these vulnerabilities.
Indicators of compromise
The following indicators have been observed by Mandiant in the wild:
| Code Family | Filename | Description |
|---|---|---|
| DRYHOOK | n/a | Credential Theft Tool |
| PHASEJAM | /tmp/s | Web Shell dropper |
| PHASEJAM Webshell | /home/webserver/htdocs/dana-na/auth/getComponent.cgi | Web Shell |
| PHASEJAM Webshell | /home/webserver/htdocs/dana-na/auth/restAuth.cgi | Web Shell |
| SPAWNSNAIL | /root/home/lib/libsshd.so | SSH backdoor |
| SPAWNMOLE | /root/home/lib/libsocks5.so | Tunneler |
| SPAWNANT | /root/lib/libupgrade.so | Installer |
| SPAWNSLOTH | /tmp/.liblogblock.so | Log tampering utility |
Which products are affected?
The following versions and products are affected by these vulnerabilities:
CVE-2025-0282
Ivanti Connect Secure:
Versions
22.7R2through22.7R2.4
Ivanti Policy Secure:
Versions
22.7R1through22.7R1.2
Ivanti Neurons for ZTA Gateways:
Versions
22.7R2through22.7R2.3
CVE-2025-0283
Ivanti Connect Secure:
Versions
22.7R2.4and priorVersions
9.1R18.9and prior
Ivanti Policy Secure:
Versions
22.7R1.2and prior
Ivanti Neurons for ZTA Gateways:
Versions
22.7R2.3and prior
Which actions should security teams take?
It is recommended to upgrade Ivanti Connect Secure products to the newest versions.
Ivanti advises using their Integrity Checker Tool (ICT) to identify suspicious activity and contacting Ivanti Support if concerns arise. While ICT can provide a snapshot of the appliance’s current state, it may not detect threats if attackers have restored the appliance to a clean state. If ICT scans indicate compromise, Ivanti recommends performing a factory reset to remove malware and reinstalling the appliance using version 22.7R2.5.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Intel Center to search for vulnerable instances in their environment.
