Critical Ivanti Buffer Overflow Vulnerability Exploited in the Wild

Critical Ivanti Buffer Overflow Vulnerability Exploited in the Wild

Summary

CVE-2025-0282(CVSS 9.0) is a critical stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. The flaw allows unauthenticated remote code execution, and exploitation has been active since December 2024. The vulnerability impacts Ivanti Connect Secure versions before 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. A patch for Connect Secure is available; fixes for other products are expected by January 21, 2025.

Technical Description:

CVE-2025-0282 arises from a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. The vulnerability is triggered due to improper handling of the client Capabilities parameter in the /home/bin/web binary. The use of the strncpy function with incorrect buffer sizes allows attackers to overwrite memory, enabling them to execute arbitrary code remotely on vulnerable systems.

Affected Assets:

The vulnerability affects the following Ivanti products:

  • Ivanti Connect Secure
  • Ivanti Policy Secure
  • Ivanti Neurons for ZTA gateways
Affected Vulnerable Versions:
  • The flaw impacts the following versions:
  • Ivanti Connect Secure: versions prior to 22.7R2.5
  • Ivanti Policy Secure: versions prior to 22.7R1.2
  • Ivanti Neurons for ZTA gateways: versions prior to 22.7R2.3
Workarounds or Mitigations:

Ivanti recommends that affected users immediately apply patches. For Ivanti Connect Secure, a fix (version 22.7R2.5) is available, while patches for Policy Secure and Neurons for ZTA gateways will be released by January end. Organizations should use Ivanti’s Integrity Checker Tool to detect signs of compromise and perform factory resets on affected systems.

Seriousness of the Issue:

As of January 2025, 33,542 Ivanti Connect Secure instances are exposed globally, with significant concentrations in the U.S. and Japan. Many of these devices are left unpatched, increasing the risk of exploitation, especially given the known active exploitation in the wild. Cybersecurity firms have reported sophisticated malware families being deployed, such as SPAWN, Dryhook, and Phasejam, targeting these vulnerabilities.

Conclusion

CVE-2025-0282 is a critical vulnerability with the potential for remote code execution. Exploitation of this flaw can lead to complete system compromise, making it essential for organizations to apply the available patches immediately. The widespread exposure of affected

Impact:

Exploitation of CVE-2025-0282 allows unauthenticated attackers to execute arbitrary code remotely on Ivanti appliances, potentially compromising entire networks. As the vulnerability has been actively exploited, unpatched devices are at high risk of being targeted, leading to potential data breaches and system disruptions. Cyberattacks leveraging this vulnerability have already been linked to advanced malware deployments.

IOC and Context Details:
 
Topics
Details
  • Tactic Name
  • Technique Name
  • Sub Technique Name
  • Attack Type
  • Targeted Applications
  • Region Impacted
  • Industry Impacted
  • IOC’s
  • CVE
  • NA
  • NA
  • NA
  • Vulnerability
  • Ivanti
  • Global
  • All
  • NA
  • CVE-2025-0282
Recommended Actions:
  1. Apply patches for Ivanti Connect Secure to version 22.7R2.5 immediately.
  2. Upgrade Ivanti Policy Secure and Neurons for ZTA gateways once patches are released on January 21, 2025.
  3. Use Ivanti’s Integrity Checker Tool (ICT) to detect compromised devices.
  4. Perform factory resets on affected systems to remove any malicious artifacts.
  5. Implement strong network monitoring to detect signs of exploitation.
References:

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

View all Advisories
Post Views: 26