CVE-2025-0282

Published Jan 8, 2025

Last updated 15 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-0282 is a stack-based buffer overflow vulnerability that affects several Ivanti network appliances, including Ivanti Connect Secure (versions prior to 22.7R2.5), Ivanti Policy Secure (versions prior to 22.7R1.2), and Ivanti Neurons for ZTA gateways (versions prior to 22.7R2.3). This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on affected systems. Exploitation of this vulnerability was first observed in mid-December 2024, and Ivanti disclosed the vulnerability on January 8, 2025. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog. It appears the vulnerability is related to the handling of IFT (IF-T) connections.

Description
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Source
3c1d8aa1-5a33-4ea4-8992-aadd6440af75
NVD status
Analyzed

Insights

Analysis from the Intruder Security Team
Published Jan 9, 2025

Buffer Overflows such as this one require an advanced skillset, and time and knowledge to exploit. In addition, the exploit must be specific to the version that is targeted (as noted by Google Mandiant).

The recommendation is to fix according to your usual critical patching schedule, but prioritise over other criticals as this vulnerability has been added to the KEV list. That said, due to the complexities with this vulnerability class, we don't expect widespread exploitation.

Patching information has been released by Ivanti. However, the recommendation to use the ICT scanner by Ivanti appears to be flawed as pointed out by Google Mandiant. To help with detecting compromises, they have released YARA rules for this vulnerability.

Risk scores

CVSS 3.1

Type
Primary
Base score
9
Impact score
6
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Exploit added on
Jan 8, 2025
Exploit action due
Jan 15, 2025
Required action
Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.

Weaknesses

3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CWE-121
nvd@nist.gov
CWE-787

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. 🔒 CISA warns of the RESURGE malware targeting Ivanti Connect Secure devices, exploiting CVE-2025-0282. It can manipulate files and create web shells while using SSH tunnels. #RESURGE #MalwareAlert #USA link: https://t.co/X19na9FoB0 https://t.co/ZwrJwkmS4N

    @TweetThreatNews

    31 Mar 2025

    78 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. New RESURGE malware exploits Ivanti flaw CVE-2025-0282 with rootkit and web shell features. Organizations must patch systems and enhance security measures. #CyberSecurity #RESURGE #IvantiVulnerability https://t.co/DQRvIZgka1 https://t.co/uxgX5X4ay7

    @dailytechonx

    31 Mar 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.

    @cybertzar

    31 Mar 2025

    39 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🔴 RESURGE Malware Alert! CISA has identified a new malware variant, RESURGE, exploiting CVE-2025-0282 in Ivanti Connect Secure appliances. Organizations must: ✔️ Factory reset affected devices ✔️ Reset all credentials ✔️ Limit admin access #Darkweb https://t.co/ZF7G3lwjoe https:

    @godeepweb

    31 Mar 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    31 Mar 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. CISA warns of RESURGE #malware exploiting CVE-2025-0282 in Ivanti Connect Secure appliances. RESURGE enables credential harvesting, account creation, and privilege escalation☝️🤖 #hacking https://t.co/h7lMGFAG39

    @manuelbissey

    31 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    31 Mar 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. 🚨 Urgent Alert: New Malware “RESURGE” 🇨🇳 China-linked hackers exploit Ivanti VPNs (CVE-2025-0282). RESURGE: rootkit + bootkit + web shell. Targets critical below. Ivanti NOW patch (<22.7R2.5)! #Cybersecurity #Malware #Ivanti #ThreatIntel 🛠️🔍🎯 https://t.co/RiKmec5F4n

    @CyberWolfGuard

    30 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    30 Mar 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. 🚨 New Malware: RESURGE China-linked hackers are exploiting Ivanti VPNs via CVE-2025-0282. 🛠️ RESURGE = rootkit + bootkit + web shell 🎯 Hits critical infrastructure 🔍 Linked to UNC5337 & Silk Typhoon Patch now | Ivanti <22.7R2.5 is vulnerable Full CISA alert: https:

    @TheHackersNews

    30 Mar 2025

    18615 Impressions

    39 Retweets

    105 Likes

    25 Bookmarks

    0 Replies

    0 Quotes

  11. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    30 Mar 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. CISA e NetApp: malware RESURGE e vulnerabilità critiche in SnapCenter Sicurezza Informatica, buffer overflow, cisa, Coreboot, CVE-2025-0282, CVE-2025-26512, escalation, Ivanti, malware, MAR, NetApp, RESURGE, SnapCenter, vulnerabilità https://t.co/eDJQzjAuYg https://t.co/Ci65OtBxB

    @matricedigitale

    29 Mar 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. CISA warns of malware linked to Ivanti Connect Secure breach via CVE-2025-0282. Key files include RESURGE, capable of SSH tunneling & file manipulation. Impacting critical infrastructure. 🇺🇸 #InfoSec #MalwareAnalysis #InfraThreats link: https://t.co/XlcUQjthoP https://t.co

    @TweetThreatNews

    29 Mar 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 🚨 We published a report on RESURGE, a new malware variant affecting Ivanti Connect Secure & exploiting CVE-2025-0282. RESURGE contains distinctive commands that pose significant risk of adversary access. Take action to secure your systems. Learn more 👉 https://t.co/pAgEOEeR

    @CISACyber

    28 Mar 2025

    5784 Impressions

    19 Retweets

    44 Likes

    10 Bookmarks

    0 Replies

    2 Quotes

  15. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    28 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    27 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. Urgent Backdoor Alert! Take immediate action to patch Ivanti Connect Secure devices against CVE-2025-0282. #CyberSecurity #Vulnerability #PatchNow https://t.co/guxJ2EoVV2

    @RedOracle

    23 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    23 Mar 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  19. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    22 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    21 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  21. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    16 Mar 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    15 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  23. Nouvelle faille Ivanti exploitée 🔍 CVE-2025-0282 dans Ivanti permet une RCE sans auth. Groupe chinois suspecté. Même scénario en 2025. #Cybersecurity #Ivanti Lien ⬇️

    @FortiWell

    15 Mar 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  24. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    15 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    14 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    10 Mar 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    9 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  28. #threatreport #LowCompleteness Darktrace's Early Detection of the Latest Ivanti Exploits | 08-03-2025 Source: https://t.co/k2bi14e2uE Key details below ↓ 🧑‍💻Actors/Campaigns: C0met 🔓CVEs: CVE-2025-0282 \[[Vulners](https://t.co/fcda2avlMh)] - CVSS V3.1: *9.0*, - Vulners:…

    @rst_cloud

    8 Mar 2025

    32 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 🚨 China-backed Silk Typhoon is shifting tactics! Now targeting IT supply chains via stolen API keys & cloud app credentials. They hit MSPs, healthcare, govt & more. Key exploits: Ivanti VPN (CVE-2025-0282), Palo Alto firewalls (CVE-2024-3400), Citrix (CVE-2023-3519).

    @hacktoria

    7 Mar 2025

    376 Impressions

    2 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    1 Quote

  30. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    7 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  31. Unauthenticated Remote Code Execution vulnerability in Ivanti Secure (VPN) (CVE-2025-0282) … #infosec #ivanti https://t.co/yyOe0Nctiz

    @k1ngware

    28 Feb 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. بدافزاری با نام SPAWNCHIMERA منتشر شده است که آسیب پذیری موجود در Ivanti Connect Secure با کد شناسایی CVE-2025-0282 که از نوع buffer overflow می باشد، استفاده می کند. برای پیشگیری با این نوع تهدیدات ، سرویس ها و برنامه های خود را به روز رسانی نمایید. https://t.co/Poz3aKYxT1 https

    @AmirHossein_sec

    26 Feb 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. ⚠️ Vulnerability Alert: Ivanti Connect Secure Zero-Day Vulnerability 📅 Timeline: Disclosure: 2025-01-24, Patch: TBD 📌 Attribution: Shadowserver Foundation 🆔cveId: CVE-2025-0282 📊baseScore: 9.8 📏cvssMetrics: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvssSeverity: Critical 🔴… h

    @syedaquib77

    26 Feb 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Unauthenticated Remote Code Execution vulnerability in Ivanti Secure (VPN) (CVE-2025-0282) https://t.co/g7Xg4ib4HC #infosec #ivanti https://t.co/1NHZRMEZ6r

    @0xor0ne

    25 Feb 2025

    5062 Impressions

    40 Retweets

    147 Likes

    45 Bookmarks

    0 Replies

    0 Quotes

  35. The SPAWNCHIMERA malware is exploiting the Ivanti Connect Secure vulnerability (CVE-2025-0282) with enhanced tactics. Multiple cases confirmed in Japan. ⚠️ #Ivanti #Malware #JapanCybersecurity link: https://t.co/FELndPyHc2 https://t.co/UhfskB5FqK

    @TweetThreatNews

    20 Feb 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. #100DaysofYARA Day 49 Detects SPAWNSLOTH, a Linux based Log Tampering Utility that was also reported to be used to target Ivanti Connect Secure VPN in a New Zero-Day Exploitation (CVE-2025-0282) by 🇨🇳 Threat Cluster UNC5221 🐧 https://t.co/rP2RfxrZmi https://t.co/dMBM6HMwiG

    @RustyNoob619

    18 Feb 2025

    772 Impressions

    3 Retweets

    14 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  37. SPAWNCHIMERA malware is exploiting the Ivanti zero-day vulnerability (CVE-2025-0282), posing a critical security risk. More details: https://t.co/l5OXod4MPC #CyberSecurity #Malware

    @adriananglin

    17 Feb 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. SPAWNCHIMERA: New Malware Exploits Ivanti Zero-Day Flaw (CVE-2025-0282) https://t.co/ahWtp3UPyr

    @Dinosn

    17 Feb 2025

    2945 Impressions

    5 Retweets

    18 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  39. 【セキュリティ ニュース】Ivanti脆弱性、国内でも12月下旬より悪用 - マルウェアにパッチ機能:Security NEXT https://t.co/uBpJYgocRO 『「Ivanti Connect Secure(ICS)」に脆弱性「CVE-2025-0282」が明らかとなった問題で、国内では2024年12月下旬より攻撃が発生していることがわかった』

    @Syynya

    14 Feb 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. 【更新】Ivanti Connect Secureなどにおける脆弱性(CVE-2025-0282)に関する注意喚起を更新。JPCERT/CCでは、本脆弱性公開前の2024年12月下旬から本脆弱性が悪用された被害を国内で複数確認しています。対象製品の利用者は、侵害有無を確認する調査も実施ください。^KK https://t.co/gdUnM50ZVY

    @jpcert

    13 Feb 2025

    3708 Impressions

    10 Retweets

    13 Likes

    1 Bookmark

    0 Replies

    1 Quote

  41. JPCERT/CC researchers show how the CVE-2025-0282 vulnerability in Ivanti Connect Secure led to an updated version of the SPAWN family. The SPAWNCHIMERA malware combines the updated functions of SPAWNANT, SPAWNMOLE and SPAWNSNAIL into one. https://t.co/7GWR0xjGw1 https://t.co/22JY

    @virusbtn

    12 Feb 2025

    2103 Impressions

    11 Retweets

    34 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

  42. JPCERT/CCにてIvanti Connect Secureの脆弱性CVE-2025-0282を利用して設置されたマルウェアSPAWNCHIMERAについて解説しています。^YM https://t.co/xzSJX2TbGg

    @jpcert_ac

    12 Feb 2025

    2257 Impressions

    14 Retweets

    16 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  43. Exploiting an unauthenticated Remote Code Execution vulnerability in Ivanti Secure (VPN) (CVE-2025-0282) https://t.co/eK2xJcAGTz… #cybersecurity #ivantill https://t.co/DjsUjtYWVa

    @excellenc_e

    11 Feb 2025

    477 Impressions

    0 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. Hey! Ivanti's new VPN zero-day (CVE-2025-0282) is a *stack-based buffer overflow*! Experts say patch AND factory reset. Nuke it from orbit! #cybersecurity https://t.co/SWh5X23Ksc

    @storagetechnews

    9 Feb 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. Actively exploited CVE : CVE-2025-0282

    @transilienceai

    6 Feb 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  46. Vulnérabilité logiciels Ivanti Connect Secure | CVE-2025-0282 - Stormshield https://t.co/6eQ5Ct3x2u #PreventionInternet #Cybersécurité

    @Prevention_web

    4 Feb 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. Exploiting an unauthenticated Remote Code Execution vulnerability in Ivanti Secure (VPN) (CVE-2025-0282) https://t.co/g7Xg4ib4HC #cybersecurity #ivanti https://t.co/J7Nevy5dwf

    @0xor0ne

    3 Feb 2025

    7121 Impressions

    58 Retweets

    221 Likes

    82 Bookmarks

    1 Reply

    0 Quotes

  48. Top 5 Trending CVEs: 1 - CVE-2024-8381 2 - CVE-2024-10487 3 - CVE-2025-24118 4 - CVE-2025-24162 5 - CVE-2025-0282 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    2 Feb 2025

    259 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  49. İvanti Connect Secure CVE-2025-0282 https://t.co/5pUHvitq9I

    @y1659rsgh

    31 Jan 2025

    25 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    1 Reply

    1 Quote

  50. ⚡CVE-2025-0282 Exploit Thousands of targets are still vulnerable. #CyberNews https://t.co/phpeWP3drz

    @dilagrafie

    31 Jan 2025

    302 Impressions

    2 Retweets

    7 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

Configurations