Ivanti Connect Secure: Attackers exploit critical security vulnerability
Ivanti warns against active attacks on Ivanti Secure Connect systems. Networks can be compromised through code smuggling.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Ivanti warns of active attacks on a critical vulnerability in the VPN software Ivanti Connect Secure (ICS). This and another vulnerability also affect Ivanti Policy Secure and Ivanti ZTA Gateways. Updates are available for ICS, but Ivanti has only announced updates for the other two products.
Ivanti discusses details of the vulnerabilities in a security release. The company has discovered attacks on a stack-based buffer overflow that allows malicious actors to inject and execute malicious code without prior login (CVE-2025-0282, CVSS 9.0, risk “critical”). Ivanti does not discuss the exact nature of the attacks. A second vulnerability also consists of a stack-based buffer overflow that allows logged-in users to extend their rights (CVE-2025-0283, CVSS 7.0, high). However, according to Ivanti, this vulnerability is currently not being abused.
Attack details from Mandiant
Google's subsidiary Mandiant presents an initial analysis of the attacks in a separate blog post. The attackers installed malware from the ecosystem called Spawn by Mandiant after successful attacks, but also malware families called Dryhook and Phasejam. The exploits for the vulnerability are version-specific for the individual patch levels of ICS. The malware then ends up providing tunnels, webshells, prevents updates, intercepts access data and can cause further damage. Mandiant locates the attacker's UNC5337 as a subgroup of UNC5221 in China, which means it is an espionage group.
Videos by heise
Ivanti claims to know of a limited number of customers who have been attacked. Mandiant explains that the attacks began in mid-December 2024. The analyses are still ongoing, and the results so far are still preliminary. At the end of the article, Mandiant lists indicators of compromise (IOCs) and helpful YARA rules that admins can use to examine their IT and be warned of attacks.
Ivanti explains that attacks on the vulnerability CVE-2025-0282 can be detected with the Integrity Checker Tool (ICT). Customers should closely monitor their internal and external ICTs as part of their security concept. Updated software is also available. Ivanti Connect Secure 22.7R2.5 closes the gap in the vulnerable versions 22.7R2 to 22.7R.4 as well as 9.1R18.9 and previous versions. Ivanti Policy Secure is also vulnerable, but should not be exposed on the Internet. Ivanti has announced an update for this on January 21. Ivanti ZTA gateways are only vulnerable if they are not “in production”. However, if a gateway is created and not connected to the ZTA controller, an exploit is possible. A software patch should also be available for this on January 21.
Ivanti's VPN is not the only target of attackers; on Tuesday of this week, ongoing attacks on a zero-day vulnerability in Sonicwall's SonicOS and SSL VPN were also made public. Here too, IT managers must quickly ensure that they install the available software updates.
(dmk)
