Ivanti has disclosed a critical security vulnerability, CVE-2025-0282, that has been actively exploited in zero-day attacks targeting its Connect Secure appliances. The vulnerability, a stack-based buffer overflow, allows unauthenticated remote code execution. The US-based IT security solutions provider has also reported CVE-2025-0283, which affects Connect Secure, Policy Secure, and Neurons for ZTA gateways.
The vulnerabilities were identified in mid-December 2024 through Ivanti’s Integrity Checker Tool (ICT), which detected malicious activity on customer appliances. “We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure,” Ivanti stated via a blog post. “We are not aware of these CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways.”
Cybersecurity firm Mandiant, which is collaborating with Ivanti on the investigation, reported that attackers exploited CVE-2025-0282 to deploy malware ecosystems, including SPAWN, DRYHOOK, and PHASEJAM. These tools were used to establish persistence, harvest credentials, and exfiltrate sensitive data. PHASEJAM, a shell-based malware dropper, was observed modifying system components, inserting backdoors, and blocking legitimate system upgrades.
Mandiant noted that attackers used reconnaissance techniques to identify specific appliance versions before deploying their exploits. HTTP requests from virtual private servers (VPS) and Tor networks to appliance URLs were detected, indicating pre-exploitation activity. This included targeting specific versions of the Connect Secure appliance, such as those listed in /dana-cached/hc_launcher paths.
The observed exploitation steps included disabling SELinux, remounting drives for modification, and inserting web shells. Attackers also removed log entries and recalculated file hashes to evade detection by integrity checks. Sensitive information, including VPN session details and cached credentials, was archived and staged for exfiltration via public-facing directories.
Ivanti has released patches for Connect Secure appliances in firmware version 22.7R2.5, addressing both CVE-2025-0282 and CVE-2025-0283. Updates for Policy Secure and Neurons for ZTA gateways are expected by 21 January 2025. The company has urged customers to apply these patches immediately and implement monitoring practices to identify potential compromises.
Additional support resources have been made available to assist organisations in applying patches and securing their environments. Ivanti’s security advisory provides detailed instructions on mitigating risks, including resetting credentials, revoking certificates, and updating configurations to safeguard against further threats.
Attack techniques and malware behaviour
Mandiant identified several malware behaviours associated with these attacks. DRYHOOK intercepted authentication processes to capture usernames and passwords, while PHASEJAM tampered with system upgrade processes to simulate successful updates while blocking legitimate ones.
The SPAWN ecosystem was used for tunnelling and backdoor access, and new malware families such as DRYHOOK and PHASEJAM were also deployed. Some appliances showed evidence of malware staging through Base64-encoded scripts and modified files, enabling attackers to persist across system reboots and upgrades.
Reconnaissance commands observed included LDAP queries, which were used to gather directory data and perform lateral movement within the network. Tools such as nmap and dig were employed to identify accessible network resources. Additionally, credential harvesting and database cache theft were reported, with attackers archiving cached data, including API keys, certificates, and session cookies, for exfiltration.
Ivanti highlighted the importance of securing edge devices like VPN appliances, which are frequently targeted due to their role as initial access points to corporate networks. Organisations are advised to maintain strong patch management policies, monitor environments continuously, and implement layered security practices to mitigate risks.
Last month, Ivanti addressed multiple vulnerabilities in its Cloud Services Appliance (CSA) by releasing critical security updates. The identified flaws, tracked as CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773, were classified as high-severity issues. Notably, CVE-2024-11639 received a maximum CVSSv3 severity score of 10 out of 10. These vulnerabilities impact CSA versions 5.0.2 and earlier, leading Ivanti to issue urgent guidance for users and administrators to upgrade to the latest version to mitigate risks.
Read more: Ivanti patches high-severity vulnerabilities in CSA after exposure of critical flaws
