Ivanti Connect Secure Zero-Day: CVE-2025-0282 Under Active Exploitation

Ivanti started 2025 the same way it ended 2024: disclosing critical vulnerabilities in its Connect Secure VPN appliances under active exploitation. On January 8, 2025, the company published advisories for CVE-2025-0282, a stack-based buffer overflow enabling unauthenticated remote code execution, and CVE-2025-0283, a privilege escalation flaw. Both affected Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways.

CVE-2025-0282 was the more severe of the two, carrying a CVSS score of 9.0. Mandiant, working alongside Ivanti, confirmed that the vulnerability had been exploited in the wild since mid-December 2024, weeks before the advisory dropped.

The Vulnerability

CVE-2025-0282 is a stack-based buffer overflow in the web component of Ivanti Connect Secure (versions prior to 22.7R2.5), Ivanti Policy Secure (versions prior to 22.7R1.2), and Ivanti Neurons for ZTA gateways (versions prior to 22.7R2.3).

The overflow could be triggered by sending a specially crafted HTTPS request to the appliance. No authentication was required. Successful exploitation gave the attacker arbitrary code execution with the privileges of the web server process, which on these appliances is sufficient to install backdoors, harvest credentials, and pivot into internal networks.

This is the same class of vulnerability that plagued Ivanti throughout 2024. CVE-2023-46805 and CVE-2024-21887, the pair of zero-days that dominated security headlines in January 2024, were also pre-authentication vulnerabilities in the same product line. The pattern is concerning.

Who Exploited It

Mandiant attributed the exploitation to UNC5337, a suspected Chinese nexus threat actor with ties to UNC5221, the group responsible for exploiting the 2024 Ivanti zero-days. The connection was based on overlapping infrastructure, malware families, and targeting patterns.

The attackers deployed several malware families on compromised appliances:

• SPAWN ecosystem (SPAWNANT, SPAWNMOLE, SPAWNSNAIL, SPAWNSLOTH): A modular malware toolkit previously associated with UNC5221. SPAWNANT is an installer that patches the Ivanti Integrity Checker Tool (ICT) to avoid detection. SPAWNMOLE is a tunneler, SPAWNSNAIL provides a backdoor SSH server, and SPAWNSLOTH tampers with logs.
• DRYHOOK: A new credential harvester not previously observed, designed to intercept authentication and capture plaintext passwords.
• PHASEJAM: A new web shell installer that patches Ivanti components to inject malicious functionality, including a web shell and a mechanism to block legitimate system upgrades.

The PHASEJAM malware was particularly insidious. It modified the system upgrade process so that when administrators attempted to apply a patch, the malware would display a fake upgrade progress bar while actually preventing the update. Administrators would believe they had successfully patched the vulnerability when the appliance remained compromised and unpatched.

Detection and Ivanti's ICT

Ivanti released an updated version of its Integrity Checker Tool alongside the patch. However, the effectiveness of the ICT had already been questioned. Mandiant noted that the SPAWNANT component specifically targeted the ICT, modifying its expected file manifests so that tampered files would pass integrity checks.

CISA had previously issued guidance stating that the ICT was insufficient as a sole detection mechanism for Ivanti appliance compromise. The January 2025 exploitation validated that concern.

For organizations trying to determine if they had been compromised, Mandiant recommended:

• Running the updated ICT (though with the caveat that sophisticated actors may have subverted it).
• Analyzing web server access logs and application logs for anomalous requests.
• Reviewing authentication logs for credential use from unexpected locations.
• Performing network traffic analysis for connections to known command-and-control infrastructure.
• Factory resetting the appliance before applying the patch if compromise was suspected.

The Broader Problem with VPN Appliances

Ivanti Connect Secure (formerly Pulse Secure) has become one of the most targeted product lines in enterprise security. Between 2024 and early 2025, it accumulated a remarkable number of critical vulnerabilities:

• CVE-2023-46805 + CVE-2024-21887 (January 2024): Authentication bypass + command injection chain.
• CVE-2024-21893 (January 2024): Server-side request forgery in the SAML component.
• CVE-2024-22024 (February 2024): XML external entity injection.
• CVE-2025-0282 (January 2025): Stack-based buffer overflow.

Each of these was exploited as a zero-day. Each gave attackers unauthenticated access. The cumulative effect has been devastating for organizations that rely on these appliances as their primary remote access solution.

This is not just an Ivanti problem. Palo Alto GlobalProtect, Fortinet SSL VPN, Cisco AnyConnect, and SonicWall SMA have all had critical pre-authentication vulnerabilities in recent years. VPN appliances are attractive targets because they are, by design, internet-facing and they terminate encrypted tunnels, giving attackers who compromise them a privileged position on the network.

Recommendations

For organizations running Ivanti Connect Secure:

1. Patch to 22.7R2.5 or later immediately. If you suspect compromise, factory reset the appliance before patching.
2. Do not rely solely on the ICT. Use network-based detection and log analysis as complementary detection methods.
3. Rotate all credentials that may have traversed the VPN, including user passwords, service account credentials, and any secrets that were accessible from systems reachable via the VPN.
4. Evaluate your VPN architecture. Consider whether a zero-trust network access (ZTNA) approach could reduce your dependence on traditional VPN appliances.

How Safeguard.sh Helps

Safeguard.sh tracks vulnerabilities across your entire software supply chain, including network infrastructure like VPN appliances. When critical vulnerabilities like CVE-2025-0282 are disclosed, Safeguard correlates the CVE against your asset inventory and flags affected systems immediately.

Beyond reactive alerting, Safeguard's continuous monitoring helps you understand your exposure posture before zero-days drop. By maintaining accurate SBOMs for your deployed infrastructure, you can quickly answer the question "are we affected?" within minutes of a new advisory, not hours or days.

Safeguard's policy gates can also enforce minimum firmware versions for network appliances, preventing known-vulnerable versions from remaining in production past your organization's defined remediation window. When the next Ivanti zero-day drops -- and history suggests there will be one -- you will know your exposure instantly.