cbcvebase.
CVE-2025-0282
published 2025-01-08

CVE-2025-0282: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA…

PriorityP1100critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-01-15
Exploited in the wild
EPSS
99.97%
100.0th percentile
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

Affected

6 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure22.7R2 – 22.7R2.4
ivantineurons_for_zero-trust_access
ivantineurons_for_zta_gateways22.7R2 – 22.7R2.3
ivantipolicy_secure
ivantipolicy_secure22.7R1 – 22.7R1.2

Detection & IOCsextracted from sources · hover to see the quote

hash3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104
hash52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda
hashb1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d
ip168.100.8[.]144
ip193.149.180[.]128
filenamelibdsupgrade.so
filenameliblogblock.so
filenamedsmain
filenameldap.pl
filenamepackage.dll
filenamevixDiskLib.dll
filenamedeelevator64.dll
filenamemsbuild.lnk
filenamemini.xml
filenameerror.dat
filenametemp.log
pathC:\Users\Public\Music\package.dll
pathC:\Users\Public\Downloads\VM.txt
path/data/runtime/logs/log.events.vc0
path/root/home/lib/libsshd.so
path/root/home/lib/libsocks5.so
path/root/lib/libupgrade.so
path/tmp/.liblogblock.so
path/tmp/s
path/home/webserver/htdocs/dana-na/auth/getComponent.cgi
path/home/webserver/htdocs/dana-na/auth/restAuth.cgi
registryDcomSrv
otherScheduled task named /mail
bytes
XOR key 0x27
  • Use the forged/fake Ivanti certificate sent unencrypted over the internet as a network signature to detect active RESURGE compromise.
  • Check for the misspelled string 'DCOMLIENT' (missing 'C') in DLL binaries as an indicator of the malicious vixDiskLib.dll backdoor.
  • Monitor for svchost.exe spawned in a suspended state followed by process hollowing, as used by the vixDiskLib.dll/deelevator64.dll backdoor to load decrypted payloads.
  • Check for absence or deletion of /var/cores directory contents and deletion of /data/runtime/logs/log.events.vc0 and /data/var/dlogs/debuglog as anti-forensic indicators on Ivanti appliances.
  • Detect attacker reconnaissance phase by monitoring for URL queries to ICS appliances designed to enumerate the appliance version, originating from VPS providers or Tor networks.
  • Alert on SELinux being disabled or filesystem remounted on Ivanti Connect Secure appliances as a post-exploitation preparation step.
  • Monitor for nmap and dig execution on compromised Ivanti appliances as indicators of internal network reconnaissance post-exploitation.
  • ·The fake Ivanti certificate used by RESURGE is only for authentication/verification and is not used to encrypt communication, but it does impersonate the legitimate server to evade detection.
  • ·Unit 42 tracks this activity as CL-UNK-0979 and notes overlaps with Mandiant's UNC5337, but has not confirmed they are the same threat actor group.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.