Skip to content

Search the site
Sign In Subscribe
securityvulnerabilitiesIvantiNCSC

Ivanti zero day exploited in the wild - attacks started mid-December

Previously unseen malware being deployed, and UK's NCSC is "investigating cases of active exploitation affecting UK networks"

 and  The Stack
4 min read
Ivanti zero day CVE-2025-0282 exploited

A zero day affecting a trio of Ivanti products is being exploited in the wild. 

Tracked as CVE-2025-0282, exploitation of the vulnerability leads to unauthenticated remote code execution; attacks on Ivanti Connect Secure customers were confirmed by the American cybersecurity vendor today.

Mandiant said exploitation in the wild began mid-December 2024.

Among anti-forensic and persistence measures, the attackers are "rendering a fake HTML upgrade progress bar while silently blocking the legitimate upgrade process" according to analysis by Mandiant's threat researchers.

The CVSS 9.0 vulnerability affects Ivanti Connect Secure (ICS), Ivanti Policy Secure, and Ivanti Neurons. An emergency patch resolves it for the former in firmware version 22.7R2.5. Patches for the latter two products will not land until January 21, an Ivanti security bulletin said.

Ivanti describes ICS as “the most widely adopted SSL VPN by organizations of every size, across every major industry…”

NCSC investigating UK exploitation

The UK’s NCSC said it is “working to fully understand the UK impact and investigating cases of active exploitation affecting UK networks…”

Ivanti said: “We are aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282... We are not aware of these CVEs being exploited in Ivanti Policy Secure or ZTA gateways. We are not aware of any exploitation of CVE-2025-0283 at the time of disclosure” it added, referring to a second new vulnerability.

Mandiant however said it is "currently performing analysis of multiple compromised Ivanti Connect Secure appliances from multiple organizations" and that it has identified "previously unobserved malware families from additional compromised appliances, tracked as DRYHOOK and PHASEJAM that are currently not yet linked to a known group" being used among other known malware in attacks.

Ivanti said in a January 8 blog: “Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix. We continue to work closely with affected customers, external security partners, and law enforcement agencies as we respond to this threat” the firm added.

But it also said "We appreciate the collaboration and partnership of Mandiant and MSTIC as we responded to this threat" and thanked "customers and security partners for their engagement and support, which enabled our swift detection and response to this issue."

The NCSC added that customer should take these priority actions:

Run the Ivanti external Integrity Checker Tool (ICT). The ICT offers a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if the appliance has been returned to a clean state. The ICT does not scan for malware or indicators of compromise.” 

“If you believe you have been compromised and are in the UK, you should report it to the NCSC” it said, adding that “before installing [the latest security update] the vendor recommends performing a factory reset.”

See the NCSC’s advisory or Ivanti’s advisory for further guidance. 

Mandiant said:

While there are several variations during the exploitation of CVE-2025-0282, the exploit and script generally performs the following steps:

  1. Disable SELinux
  2. Prevent syslog forwarding
  3. Remount the drive as read-write
  4. Write the script
  5. Execute the script
  6. Deploy one or more web shells
  7. Use sed to remove specific log entries from the debug and application logs
  8. Reenable SELinux
  9. Remount the drive
Immediately after exploitation the threat actor disables SELinux, uses iptables to block syslog forwarding, and remounts the root partition to enable writing of malware to the appliance – Mandiant.

Ivanti zero day exploitation: Jan 2025, 2024...

If this all sounds achingly familiar, well, something similar happened in January 2024, when Ivanti zero day exploitation led to successful attacks on “some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals” Volexity said at the time.

Ivanti CEO Jeff Abbott in March 2024 meanwhile promised a focus on product security, after multiple zero days in its SSL VPN appliances were exploited in the wild;tens of thousands of customers were breached. (Weeks after one set of attacks last year, 13,000 appliances remained unpatched.) 

Subsequent analysis of the Ivanti Pulse Secure product showed that it was built with a vast number of end-of-life software packages and shipped with massive 973 known vulnerabilities across its underlying code base. The security appliances also ran on an 11-year-old, EOL operating system.

"We have no indication that CVE-2025-0283 is being exploited or chained with CVE-2025-0282. As we were conducting our threat hunting, we also discovered the vulnerability being disclosed as CVE-2025-0283 and included it in the patch as well" Ivanti said. It added: "Thank you to our customers and security partners for their engagement and support, which enabled our swift detection and response to this issue. We remain committed to continuously improving our products and processes through collaboration and transparency with our stakeholders and the broader security ecosystem.  

More details on the website to follow as we have them. 

 See also: Sophos attackers breached intelligence agency, wrote code to survive firmware updates

Related

Latest