Critical Vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateway under Active Exploitation (CVE-2025-0282)
Executive Summary
On January 8th, software vendor Ivanti published an advisory detailing a critical vulnerability (CVE-2025-0282) in their Connect Secure, Policy Secure, and ZTA Gateway products. Successful exploitation of this vulnerability would allow an unauthenticated attacker to achieve remote code execution (RCE) on a vulnerable device. Affected devices are typically exposed to the internet by design. As a result, successful exploit of this vulnerability gives threat actors initial access into affected organizations’ networks and could facilitate attack activity and lateral movement.
Ivanti have released patches for Ivanti Connect Secure along with their advisory, details can be found below. Ivanti additionally reported there is confirmed active exploitation of this vulnerability by threat actor groups. This exploit activity has been observed on the Connect Secure VPN product; no exploit activity on the Policy Secure or ZTA Gateway products has been publicly reported.
At the time of this writing, there is no evidence of public proof-of-concept (PoC) exploit code. However, Beazley Security expects other financially motivated threat actors to study the vulnerability and patch to develop additional exploits in the coming days.
Beazley Security strongly recommends organizations immediately apply patches for affected Ivanti products and review affected systems for signs of compromise by leveraging Ivanti’s Integrity Checker Tool (ITC) to look for signs of suspicious changes to devices. Due to the delayed release of patches for Policy Secure and ZTA Gateway, any organizations using these products should restrict access to critical functions only, or if possible, disconnect them from the internet until patches become available.
Affected Systems and Products
This vulnerability affects Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateway. Official patches have been released for Ivanti Connect Secure and are detailed below. Patches for Ivanti Policy Secure and Ivanti ZTA gateway are planned to be released January 21st according to Ivanti.
Mitigations and Workarounds
It is recommended to install the applicable patches for Ivanti Connect Secure and run the Integrity Checker Tool (ICT) to detect any compromise. Please see Indicators of Compromise (IoC) section below for more details.
Patches for Policy Secure or ZTA Gateway are not available until January 21st. Organizations using these appliances should minimize any exposure to the internet if possible, until vendor patches are released.
Patches
Patches for Ivanti Connect Secure can be found in the Ivanti download portal: https://portal.ivanti.com/. Ivanti Policy Secure and Ivanti ZTA gateway patches are scheduled to be released January 21st.
Indicators of Compromise (IOC)
Observed post exploitation activity alters files on impacted Ivanti systems. These unexpected modifications can be detected by Ivanti’s Integrity Checker Tool (ICT). This tool monitors for file changes and integrity within the Ivanti Connect Secure appliance.
Observed indicators of compromise include file system changes to the following locations:
- /tmp/s
- /home/webserver/htdocs/dana-na/auth/getComponent.cgi
- /home/webserver/htdocs/dana-na/auth/restAuth.cgi
- /root/home/lib/libsshd.so
- /root/home/lib/libsocks5.so
- /root/lib/libupgrade.so
- /tmp/.liblogblock.so
Yara rules have also been provided at the bottom of Mandiant’s write up.
Threat hunting for these indicators can be aided by running Ivanti’s mentioned ICT tool as described here. Beazley Security highly recommends use of this tool, as it should be able to detect malicious system changes that may not be covered by the indicators mentioned above. Impacted customers are recommended to contact Ivanti support to report incidents and obtain additional incident response support.
Technical Details
A stack buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access (ZTA) gateways permits unauthenticated remote code execution. This vulnerability requires detailed and precise manipulation of device memory, making exploitation complex. However, this type of vulnerability has been studied extensively, and many threat actor groups have the capability to develop or obtain weaponized exploits.
Successful exploitation has been reported as version specific, and Mandiant has reported usage of version detection methods by threat actors prior to exploitation. As of this writing, successful exploitation has been isolated to Ivanti Connect Secure products.
Per Mandiant’s writeup, the exploit script has been observed performing the following steps:
- Disables SELinux
- Prevent syslog forwarding by implementing iptable blocks
- Remount drive as read-write
- Staging malware by copying a shell script into /tmp directory
- Executing a base64 ELF binary under root privileges from /tmp/svb
- Deployment of one or more web shells into getComponent.cgi and restAuth.cgi files
- Blocking future updates and upgrades
- Use sed to remove specific log entries from debug and application logs
- Reenable SELinux
- Remount the drive
Detailed information on these stages can be found on Mandiant’s blog post.
Post exploitation activity includes deployment and use of SPAWNMOLE tunnelers, enabling threat actor C2 capabilities.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
Sources
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US
- https://nvd.nist.gov/vuln/detail/CVE-2025-0282
- https://www.cisa.gov/news-events/alerts/2025/01/08/ivanti-releases-security-updates-connect-secure-policy-secure-and-zta-gateways
- https://forums.ivanti.com/s/article/KB44859?language=en_US
- https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
Aware of an incident impacting your industry? Let us know: