Ivanti warns critical RCE flaw in Connect Secure exploited as zero-day

IT software provider Ivanti released patches Wednesday for its Connect Secure SSL VPN appliances to address two memory corruption vulnerabilities, one of which has already been exploited in the wild as a zero-day to compromise devices.

The exploited vulnerability, tracked as CVE-2025-0282, is a stack-based buffer overflow rated as critical with a CVSS score of 9.0. The flaw can be exploited without authentication to achieve remote code execution and impacts Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways.

The second vulnerability, CVE-2025-0283, is also a stack-based buffer overflow impacting the same products but requires authentication to exploit and can only lead to privilege escalation. It’s rated as high severity with a CVSS score of 7.0.

According to Ivanti’s advisory, CVE-2025-0282 was exploited in “a limited number of customers’ Ivanti Connect Secure appliances” but the company is not aware of in-the-wild exploitation against Ivanti Policy Secure and Ivanti Neurons for ZTA gateways yet.

As for CVE-2025-0283, that vulnerability was discovered internally while investigating CVE-2025-0282, and there’s no evidence that it has been exploited. The flaws do not need to be chained for a successful attack.

For now, patches are available only for Ivanti Connect Secure, with patches for Policy Secure and Neurons planned for Jan. 21. That’s more than enough time for the patches to be reverse engineered and for proof-of-concept exploits to be developed and adopted by attackers.

However, Ivanti points out that Policy Secure is not supposed to be exposed to the internet, lowering the risk. It advises all customers to make sure the appliance is configured according to official recommendations.

Meanwhile, Neurons ZTA gateways cannot be exploited in production when connected to a ZTA controller. Only gateways generated and left unconnected are at risk of exploitation.

For Connect Secure the company advises customers to upgrade to version 22.7R2.5 and to perform scans with the internal and the external Integrity Checker Tool (ICT), which should detect signs of compromise.

“Factory reset on appliances with a clean ICT scan is recommended before putting 22.7R2.5 in production out of an abundance of caution,” the company said.

The CVE-2025-0283 vulnerability impacts both the 22.x and 9.x versions of Connect Secure, althought the 9.x branch, which reached end-of-life on Dec. 31, will not receive a patch. The CVE-2025-0282 flaw impacts only the 22.x branch.

“Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix,” the company said in a blog post. “We continue to work closely with affected customers, external security partners, and law enforcement agencies as we respond to this threat. We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.”

The company credits Google’s Mandiant and Microsoft’s Threat Intelligence Center (MSTIC) for collaborating in the response, so it’s possible more details about the attacks that exploited the vulnerability will be released at a later date by these companies as has happened in the past.

This is just the latest of several vulnerabilities in Ivanti products exploited in the wild as zero days by APT groups over the past year. In February 2024, the US government went so far as to order agencies to take Ivanti VPNs offline.

The company has not publicly released indicators of compromise observed for this latest exploit but said such information will be shared on request with customers that have confirmed impact with the ICT scans.