CVE-2025-0282

Published Jan 8, 2025

Last updated a month ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-0282 is a stack-based buffer overflow vulnerability that affects several Ivanti network appliances, including Ivanti Connect Secure (versions prior to 22.7R2.5), Ivanti Policy Secure (versions prior to 22.7R1.2), and Ivanti Neurons for ZTA gateways (versions prior to 22.7R2.3). This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on affected systems. Exploitation of this vulnerability was first observed in mid-December 2024, and Ivanti disclosed the vulnerability on January 8, 2025. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog. It appears the vulnerability is related to the handling of IFT (IF-T) connections.

Description
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Source
3c1d8aa1-5a33-4ea4-8992-aadd6440af75
NVD status
Analyzed

Insights

Analysis from the Intruder Security Team
Published Jan 9, 2025

Buffer Overflows such as this one require an advanced skillset, and time and knowledge to exploit. In addition, the exploit must be specific to the version that is targeted (as noted by Google Mandiant).

The recommendation is to fix according to your usual critical patching schedule, but prioritise over other criticals as this vulnerability has been added to the KEV list. That said, due to the complexities with this vulnerability class, we don't expect widespread exploitation.

Patching information has been released by Ivanti. However, the recommendation to use the ICT scanner by Ivanti appears to be flawed as pointed out by Google Mandiant. To help with detecting compromises, they have released YARA rules for this vulnerability.

Risk scores

CVSS 3.1

Type
Primary
Base score
9
Impact score
6
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Exploit added on
Jan 8, 2025
Exploit action due
Jan 15, 2025
Required action
Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.

Weaknesses

3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CWE-121
nvd@nist.gov
CWE-787

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

31

  1. DslogdRATマルウェアが、Ivanti ICSのゼロデイ脆弱性CVE-2025-0282を利用して日本での攻撃に展開される https://t.co/UJxl2J3KHt #Security #セキュリティ #ニュース

    @SecureShield_

    26 Apr 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. New Post: Malware DslogdRAT implementado a través de Ivanti ICS Zero-Day CVE-2025-0282 en ataques en Japón https://t.co/wQ1l2h9OdS

    @hualkana

    25 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    25 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks. Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a... https://t.co/FzBJEmjE2f #InceptusSecure #UnderOurProtection

    @Inceptus3

    25 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks https://t.co/0ImqVjh2w5 https://t.co/jjjonT4jwu

    @talentxfactor

    25 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 📍DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks https://t.co/6j6YrWxyW5

    @cyberetweet

    25 Apr 2025

    17 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 New Ivanti ICS Attacks Detected! DslogdRAT malware used in real-world attacks after hackers exploited CVE-2025-0282 (zero-day). First hit Japan 🇯🇵 in Dec 2024 — now global scanning surges 9X in 24 hrs. 🔹 270+ IPs scanning Ivanti 🔹 255 confirmed malicious

    @TheHackersNews

    25 Apr 2025

    9667 Impressions

    23 Retweets

    64 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  8. #threatreport #LowCompleteness Malware DslogdRAT installed in Ivanti Connect Secure | 24-04-2025 Source: https://t.co/MVUfq1t95w Key details below ↓ 🧑‍💻Actors/Campaigns: Unc5221 💀Threats: Dslogdrat, Spawnchimera, Spawnsnare_tool, Resurge, 🌐Geo: China 🔓CVEs: CVE-2025-0282

    @rst_cloud

    25 Apr 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. 🚨 New malware DslogdRAT targets Ivanti Connect Secure VPNs via a Perl web shell, enabling remote command execution and stealthy operations. CVE-2025-0282 is being actively exploited. 🔒💻 #Ivanti #MalwareAlert #USA link: https://t.co/r75XG04owN https://t.co/xyE4M8zeNv

    @TweetThreatNews

    24 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. A dangerous new RAT malware, DslogdRAT, is exploiting a zero-day (CVE-2025-0282) in Ivanti Connect Secure. Here's what you need to know to stay protected. 🛡️ #CyberSecurity #MalwareAnalysis #Ivanti #CVE20250282 https://t.co/CdKYa9Mdl1

    @threatsbank

    24 Apr 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. A recent report highlights the installation of DslogdRAT malware in Ivanti Connect Secure, exploiting a zero-day vulnerability (CVE-2025-0282) and enabling attackers to execute commands via a web shell in attacks against Japanese organizations. #CyberSec… https://t.co/MbDUi3uGON

    @Cyber_O51NT

    24 Apr 2025

    428 Impressions

    1 Retweet

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. ブログ JPCERT/CC Eyes「Ivanti Connect Secureに設置されたマルウェアDslogdRAT」を公開。2024年12月ごろに国内の組織に対する当時のゼロデイ脆弱性CVE-2025-0282を使った攻撃によって設置されたWebシェルとマルウェアDslogdRATについて解説します。^KI https://t.co/IQ87b6wpzv

    @jpcert

    24 Apr 2025

    6520 Impressions

    32 Retweets

    57 Likes

    15 Bookmarks

    1 Reply

    0 Quotes

  13. Stack Overflow pre-auth RCE lying in Ivanti Connect Secure CVE-2025-0282 This vulnerability of stack-based buffer overflow lies in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version http

    @PPHM_HackerNews

    22 Apr 2025

    116 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Time for a CyberByte! A China-nexus APT group exploited critical stack buffer overflow vulnerabilities (CVE-2025-0282 and CVE-2025-22457) in Ivanti Connect Secure VPN appliances. The victims span nearly twenty different industries across twelve countries; the vulnerabilities htt

    @ITISAC

    15 Apr 2025

    134 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 中国のAPTグループがIvanti VPNの重大な脆弱性(CVE-2025-0282/CVE-2025-22457)を悪用し、世界12カ国・約20業種にサイバースパイ攻撃を展開。高度なマルウェア「SPAWNCHIMERA」を使用し、検出回避技術で長期潜伏。 https://t.co/SbLVUyGMOV

    @01ra66it

    14 Apr 2025

    816 Impressions

    2 Retweets

    17 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  16. 中国と関係するAPTグループが、Ivanti Connect Secure VPNの重大な脆弱性(CVE-2025-0282およびCVE-2025-22457)を悪用し、12か国・20業種の組織に侵入したとTeamT5が報告した。

    @yousukezan

    14 Apr 2025

    2063 Impressions

    3 Retweets

    14 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 中国系APT集団がIvanti Connect Secure VPNを悪用して複数組織に侵入している。TeamT5社報告。CVE-2025-0282及びCVE-2025-22457を悪用した可能性。中国のアクター間で共有されるIvanti機器専用マルウェアSPAWNCHIMERAを使用。 https://t.co/rUHoNRf7fb

    @__kokumoto

    14 Apr 2025

    3636 Impressions

    9 Retweets

    29 Likes

    16 Bookmarks

    1 Reply

    1 Quote

  18. A #vulnerability (CVE-2025-0282) in Ivanti ZTA gateways can enable #RCE and allow attackers to move laterally. Stay informed—read the full #CybersecurityThreatAdvisory now: https://t.co/fIsTvXTyhW

    @SmarterMSP

    7 Apr 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. 過去1週間で複数の深刻なサイバー攻撃が。 米CISAは、Ivanti製VPN機器のゼロデイ脆弱性(CVE-2025-0282)を悪用する「Resurge」マルウェアの警告を発出。 また別のゼロデイ(CVE-2025-22457)も中国関連組織により悪用されていた。

    @yousukezan

    7 Apr 2025

    688 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure #CISO https://t.co/R2na6P2Pxb https://t.co/sgzSRnvUkh

    @compuchris

    6 Apr 2025

    133 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    2 Apr 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. CISA warns of Resurge malware linked to Chinese hackers exploiting Ivanti vulnerabilities (CVE-2025-0282). This threat can compromise system integrity and harvest credentials. 🚨 #Ivanti #MalwareAlert #China link: https://t.co/wZq4IXbgv5 https://t.co/PPgfQShJGy

    @TweetThreatNews

    2 Apr 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. New Malware: RESURGE China-linked hackers are exploiting Ivanti VPNs via CVE-2025-0282. 🛠️ RESURGE = rootkit + bootkit + web shell 🎯 Hits critical infrastructure 🔍 Linked to UNC5337 & Silk Typhoon Patch now | Ivanti <22.7R2.5 is vulnerable https://t.co/lzb8HyPWKP

    @MarcosCuadraRam

    2 Apr 2025

    74 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 🚨 New Malware: RESURGE China-linked hackers are exploiting Ivanti VPNs via CVE-2025-0282. 🛠️ RESURGE = rootkit + bootkit + web shell 🎯 Hits critical infrastructure 🔍 Linked to UNC5337 & Silk Typhoon Patch now | Ivanti <22.7R2.5 is vulnerable https://t.co/aFDbeOhBN5

    @achi_tech

    2 Apr 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    1 Apr 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. 🔒 CISA warns of the RESURGE malware targeting Ivanti Connect Secure devices, exploiting CVE-2025-0282. It can manipulate files and create web shells while using SSH tunnels. #RESURGE #MalwareAlert #USA link: https://t.co/X19na9FoB0 https://t.co/ZwrJwkmS4N

    @TweetThreatNews

    31 Mar 2025

    78 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. New RESURGE malware exploits Ivanti flaw CVE-2025-0282 with rootkit and web shell features. Organizations must patch systems and enhance security measures. #CyberSecurity #RESURGE #IvantiVulnerability https://t.co/DQRvIZgka1 https://t.co/uxgX5X4ay7

    @dailytechonx

    31 Mar 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.

    @cybertzar

    31 Mar 2025

    39 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 🔴 RESURGE Malware Alert! CISA has identified a new malware variant, RESURGE, exploiting CVE-2025-0282 in Ivanti Connect Secure appliances. Organizations must: ✔️ Factory reset affected devices ✔️ Reset all credentials ✔️ Limit admin access #Darkweb https://t.co/ZF7G3lwjoe https:

    @godeepweb

    31 Mar 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    31 Mar 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  31. CISA warns of RESURGE #malware exploiting CVE-2025-0282 in Ivanti Connect Secure appliances. RESURGE enables credential harvesting, account creation, and privilege escalation☝️🤖 #hacking https://t.co/h7lMGFAG39

    @manuelbissey

    31 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    31 Mar 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. 🚨 Urgent Alert: New Malware “RESURGE” 🇨🇳 China-linked hackers exploit Ivanti VPNs (CVE-2025-0282). RESURGE: rootkit + bootkit + web shell. Targets critical below. Ivanti NOW patch (<22.7R2.5)! #Cybersecurity #Malware #Ivanti #ThreatIntel 🛠️🔍🎯 https://t.co/RiKmec5F4n

    @CyberWolfGuard

    30 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    30 Mar 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  35. 🚨 New Malware: RESURGE China-linked hackers are exploiting Ivanti VPNs via CVE-2025-0282. 🛠️ RESURGE = rootkit + bootkit + web shell 🎯 Hits critical infrastructure 🔍 Linked to UNC5337 & Silk Typhoon Patch now | Ivanti <22.7R2.5 is vulnerable Full CISA alert: https:

    @TheHackersNews

    30 Mar 2025

    18615 Impressions

    39 Retweets

    105 Likes

    25 Bookmarks

    0 Replies

    0 Quotes

  36. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    30 Mar 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  37. CISA e NetApp: malware RESURGE e vulnerabilità critiche in SnapCenter Sicurezza Informatica, buffer overflow, cisa, Coreboot, CVE-2025-0282, CVE-2025-26512, escalation, Ivanti, malware, MAR, NetApp, RESURGE, SnapCenter, vulnerabilità https://t.co/eDJQzjAuYg https://t.co/Ci65OtBxB

    @matricedigitale

    29 Mar 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. CISA warns of malware linked to Ivanti Connect Secure breach via CVE-2025-0282. Key files include RESURGE, capable of SSH tunneling & file manipulation. Impacting critical infrastructure. 🇺🇸 #InfoSec #MalwareAnalysis #InfraThreats link: https://t.co/XlcUQjthoP https://t.co

    @TweetThreatNews

    29 Mar 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. 🚨 We published a report on RESURGE, a new malware variant affecting Ivanti Connect Secure & exploiting CVE-2025-0282. RESURGE contains distinctive commands that pose significant risk of adversary access. Take action to secure your systems. Learn more 👉 https://t.co/pAgEOEeR

    @CISACyber

    28 Mar 2025

    5784 Impressions

    19 Retweets

    44 Likes

    10 Bookmarks

    0 Replies

    2 Quotes

  40. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    28 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  41. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    27 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. Urgent Backdoor Alert! Take immediate action to patch Ivanti Connect Secure devices against CVE-2025-0282. #CyberSecurity #Vulnerability #PatchNow https://t.co/guxJ2EoVV2

    @RedOracle

    23 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    23 Mar 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  44. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    22 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    21 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  46. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    16 Mar 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  47. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    15 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  48. Nouvelle faille Ivanti exploitée 🔍 CVE-2025-0282 dans Ivanti permet une RCE sans auth. Groupe chinois suspecté. Même scénario en 2025. #Cybersecurity #Ivanti Lien ⬇️

    @FortiWell

    15 Mar 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  49. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    15 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  50. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    14 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations