A critical zero-day vulnerability, CVE-2025-0282, has been actively exploited in Ivanti Connect Secure (ICS) VPN appliances since mid-December 2024. This unauthenticated buffer overflow vulnerability enables remote code execution, allowing attackers to infiltrate networks and deploy advanced malware.
‍
Key Highlights

Characteristics: 

• First observed: December 2024.
• Targeting focus: Ivanti Connect Secure VPN appliances.
• Threat activity: Use of sophisticated malware such as web shells (e.g., PHASEJAM), tunneling utilities (SPAWNMOLE), and credential theft tools (DRYHOOK).
• Global reach: Activity observed across multiple organizations and industries worldwide.

Indicators of Exploitation:

• Repeated HTTP requests probing specific appliance versions.
• Deployment of web shells to gain remote access.
• System modifications including SELinux disabling and log tampering.

Global Insights
Exploitation of CVE-2025-0282 has been observed in multiple industries and countries, emphasizing its widespread and opportunistic nature. While specific industries have not been singled out, organizations utilizing vulnerable ICS VPN appliances are at significant risk.

Exploitation Methods

• Perform reconnaissance to identify appliance versions.
• Inject malicious scripts and binaries to establish persistence.
• Manipulate legitimate processes to block system updates and retain control.
• Exploit weak access controls to move laterally within networks.

Protecting Against ICS Zero-Day Exploitation
Organizations using Ivanti Connect Secure appliances must act swiftly to address this critical vulnerability. Proactive measures can significantly mitigate risks.

1. Apply Security Patches: 

• Upgrade to Ivanti’s patched versions (22.7R2.5 or later)
• Ivanti References:
  1. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US
  2. https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways
  

2. Monitor for Indicators of Compromise: 

• Use Ivanti’s Integrity Checker Tool (ICT) and other monitoring solutions to detect anomalies.

3. Implement Strong Access Controls:

• Ensure all external-facing systems are protected by multifactor authentication (MFA).

4. Segment Backups:

• Maintain immutable and offline backups to protect against potential ransomware or malware deployment.

5. Enhance Endpoint Security:

• Deploy and monitor Endpoint Detection and Response (EDR) solutions to detect malicious activity.

6. Audit and Harden Configurations:

• Review system logs for tampering and enforce the principle of least privilege.

Need Assistance?
If you need assistance with patching, monitoring or a current incident, please contact us at 833-568-6695 or email our team at incident@moxfive.com.