Ivanti VPN Security Bug Exploited by Hackers

Ivanti VPN Zero-Day Exploited: Customer Networks Compromised

A major U.S. software company, Ivanti, has issued a warning regarding a newly discovered zero-day vulnerability within its widely deployed enterprise VPN appliance.

Critical Vulnerability Details

The vulnerability, identified as CVE-2025-0282, presents a critical risk. It allows for remote code execution on Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways products without requiring any form of authentication.

Ivanti emphasizes that its Connect Secure VPN solution enjoys widespread adoption. It is utilized by organizations of all sizes and across numerous industries.

Recent Security Challenges for Ivanti

This incident marks the latest in a series of security breaches targeting Ivanti products in recent years. The company previously committed to a comprehensive overhaul of its security protocols following earlier attacks.

The discovery of this latest vulnerability stemmed from alerts generated by Ivanti’s Integrity Checker Tool (ICT), which detected malicious activity on several customer appliances.

Active Exploitation Confirmed

According to an advisory released on Wednesday, Ivanti confirmed that malicious actors are actively exploiting CVE-2025-0282 as a zero-day. This means the flaw was exploited before a fix could be developed and deployed.

Ivanti has acknowledged a “limited number of customers” whose Connect Secure appliances have been compromised.

Patch Availability

A security patch is currently available for Connect Secure. However, patches for Policy Secure and ZTA Gateways are scheduled for release on January 21st. Currently, there is no evidence of exploitation for these latter products.

Additional Vulnerability Discovered

Ivanti also identified a second vulnerability, designated as CVE-2025-0283, though it has not yet been observed in active exploitation attempts.

Attribution and Impact

Ivanti has not disclosed the number of affected customers or the identity of the attackers. Responses to inquiries from TechCrunch were not received at the time of reporting.

Mandiant's Findings

Incident response firm Mandiant, collaborating with Microsoft researchers, revealed that exploitation of the Connect Secure zero-day was observed as early as mid-December 2024.

While definitive attribution remains elusive, Mandiant suspects the involvement of a China-linked cyberespionage group, known as UNC5337 and UNC5221. This group previously exploited zero-day vulnerabilities in Connect Secure during 2024 to conduct widespread attacks against Ivanti customers.

Industry Response

Ben Harris, CEO of watchTowr Labs, reported “widespread impact” from the latest Ivanti VPN flaw. His company has been assisting clients in assessing and mitigating the risk.

Harris emphasized the severity of the vulnerability, noting its characteristics align with those of an advanced persistent threat utilizing a zero-day against a critical system. He strongly urged immediate action.

Government Advisories

The U.K.’s National Cyber Security Centre is actively investigating cases of exploitation affecting networks within the U.K. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the vulnerability to its catalog of known exploited vulnerabilities.