CVE-2025-0283
published 2025-01-08CVE-2025-0283: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA…
PriorityP181high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
17.11%
96.7th percentile
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | < 9.1 | 9.1 |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | >= 22.2 < 22.7 | 22.7 |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | neurons_for_zero-trust_access | — | — |
| ivanti | policy_secure | < 22.7 | 22.7 |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for IFT/IF-T connection errors in the Ivanti appliance debug.log file as a precursor indicator of CVE-2025-0282 exploitation attempts, especially from Tor or NordVPN exit nodes. ↗
- →Detect the misspelled string 'DCOMLIENT' (missing 'S') embedded in vixDiskLib.dll binary as a unique indicator for this malware family. ↗
- →Monitor for MSBuild.exe (LOLBIN) being used to compile and execute code from mini.xml, followed by creation of package.dll in C:\Users\Public\Music\. ↗
- →Monitor for svchost.exe spawned in a suspended state followed by process hollowing, as the DLL sideloading malware uses this technique to load decrypted payloads. ↗
- →Check for a scheduled task named '/mail' used for persistence to execute DeElevate64.exe and sideload deelevator64.dll. ↗
- →Use Shodan query 'http.title:"ivanti connect secure"' to identify exposed Ivanti Connect Secure appliances for proactive asset discovery. ↗
- →Attackers perform version reconnaissance by querying specific ICS URLs before exploitation; monitor for sequential GET requests to /dana-na/auth/ and /dana/home/ paths from external IPs. ↗
- →Post-exploitation, monitor for SELinux being disabled and filesystem remounted on Ivanti appliances as preparation for malware deployment. ↗
- ·CVE-2025-0283 (local privilege escalation) shares the same affected version ranges as CVE-2025-0282 (remote RCE). No in-the-wild exploitation of CVE-2025-0283 specifically has been confirmed; all active exploitation observed is attributed to CVE-2025-0282. ↗
- ·Active exploitation has only been observed on Ivanti Connect Secure appliances; Policy Secure and ZTA Gateways have not been observed exploited in the wild. ↗
- ·The Nuclei detection template for CVE-2025-0282/CVE-2025-0283 performs passive version fingerprinting only and does not confirm active exploitation; it checks version strings extracted from web UI responses. ↗
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j5g5-c424-7xqg: A stack-based buffer overflow in Ivanti Connect Secure before version 22
ghsa_unreviewed·2025-01-09
CVE-2025-0283 [HIGH] CWE-121 GHSA-j5g5-c424-7xqg: A stack-based buffer overflow in Ivanti Connect Secure before version 22
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
VulnCheck
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-0282 [CRITICAL] CWE-121 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
Affected: Ivanti Connect Secure, Policy Secure, and ZTA Gateways
Required Action: Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day; https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gatewa
VulnCheck
Ivanti Connect Secure, Policy Secure, and Neurons stack-based buffer overflow
vulncheck·2025·CVSS 7.0
CVE-2025-0283 [HIGH] Ivanti Connect Secure, Policy Secure, and Neurons stack-based buffer overflow
Ivanti Connect Secure, Policy Secure, and Neurons stack-based buffer overflow
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Affected: Ivanti Connect Secure, Policy Secure, and Neurons
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ncsc.gov.uk/news/active-exploitation-ivanti-vulnerabilities; https://www.wiz.io/blog/cve-2025-0282-and-cve-2025-0283-critical-ivanti-0days-exploited-in-the-wild; http
Ivanti
Ivanti Security Advisory: CVE-2025-0283
vendor_ivanti·2025-01-08·CVSS 7.0
CVE-2025-0283 [HIGH] CWE-121 Ivanti Security Advisory: CVE-2025-0283
Ivanti Security Advisory: CVE-2025-0283
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
CVE IDs: CVE-2025-0283
CVSS Base Score: 7.0
Severity: HIGH
CWEs: CWE-121, CWE-787
CISA
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
cisa·2025-01-08·CVSS 9.0
CVE-2025-0282 [CRITICAL] CWE-121 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Vulnerability: Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Affected: Ivanti Connect Secure, Policy Secure, and ZTA Gateways
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
Required Action: Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Notes: CISA Mitigation Instructions: https://www.cisa.gov/cisa-mitigation-instructions-CVE-2025-0282 Additional References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-C
No detection rules found.
Nuclei
Ivanti Connect Secure - Stack-based Buffer Overflow
nuclei·CVSS 9.0
CVE-2025-0282 [CRITICAL] Ivanti Connect Secure - Stack-based Buffer Overflow
Ivanti Connect Secure - Stack-based Buffer Overflow
Ivanti Connect Secure < 22.7R2.5, Ivanti Policy Secure < 22.7R1.2, and Ivanti Neurons for ZTA gateways < 22.7R2.3 contain a stack-based buffer overflow in the clientCapabilities parameter handling. This vulnerability allows remote unauthenticated attackers to execute arbitrary code through IF-T TLS requests.
Template:
id: CVE-2025-0282
info:
name: Ivanti Connect Secure - Stack-based Buffer Overflow
author: ritikchaddha
severity: critical
description: |
Ivanti Connect Secure < 22.7R2.5, Ivanti Policy Secure < 22.7R1.2, and Ivanti Neurons for ZTA gateways < 22.7R2.3 contain a stack-based buffer overflow in the clientCapabilities parameter handling. This vulnerability allows remote unauthenticated attackers to execute arbitrary code thro
Wiz
Crying Out Cloud Newsletter - February 2025 | Wiz
blogs_wiz·2025-02-06
Crying Out Cloud Newsletter - February 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Codefinger Ransomware Campaign Targeting S3 Buckets
Codefinger is a ransomware campaign that exploits AWS Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. While this campaign has sparked widespread concern, we argue that the panic is unwarranted. Many have focused on detecting unwanted SSE-C encryption as a mitigation strategy, but encryption is merely a tactic chosen by the attacker after gaining access—it is not the core issue. The real concern, which is neither new nor unique, is the use of compromised credential
Unit42
Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
blogs_unit42·2025-01-17·CVSS 9.0
CVE-2025-0282 [CRITICAL] Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
## Executive Summary
Unit 42 stopped monitoring this threat as well as updating this brief on March 11, 2025. Please refer to Ivanti's Security Advisory for the latest information.
On Jan. 8, 2025, Ivanti released a security advisory for two vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in its Connect Secure, Policy Secure and ZTA gateway products. This threat brief provides attack details that we observed in a recent incident response engagement to provide actionable intelligence to the community. These details can be used to further detect current attacks noted in the wild using CVE-2025-0282.
These Ivanti products are all appliances that facilitate remote connections into a network. As such, they are outward-facing assets that attackers could target to infiltrate a network.
CVE-
Unit42
Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
blogs_unit42·2025-01-17·CVSS 9.0
CVE-2025-0282 [CRITICAL] Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
## Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
Unit 42
Published: January 16, 2025
High Profile Threats
Vulnerabilities
CL-UNK-0979
CVE-2025-0282
CVE-2025-0283
Ivanti
SPAWNMOLE
SPAWNSLOTH
SPAWNSNAIL
UNC5337
## Executive Summary
Unit 42 stopped monitoring this threat as well as updating this brief on March 11, 2025. Please refer to Ivanti's Security Advisory for the latest information.
On Jan. 8, 2025, Ivanti released a security advisory for two vulnerabilities ( CVE-2025-0282 and CVE-2025-0283 ) in its Connect Secure, Policy Secure and ZTA gateway products. This threat brief provides attack details that we observed in a recent incident response engagement to provide actionable intelligence to the community. These details can be used to further detect
Wiz
CVE-2025-0282 and CVE-2025-0283: Ivanti 0days in the Wild | Wiz Blog
blogs_wiz·2025-01-09·CVSS 9.0
CVE-2025-0282 [CRITICAL] CVE-2025-0282 and CVE-2025-0283: Ivanti 0days in the Wild | Wiz Blog
Ivanti has confirmed active exploitation of two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, in Ivanti Connect Secure (ICS) VPN appliances. CVE-2025-0282, a zero-day vulnerability, has been exploited since December 2024, enabling unauthenticated remote code execution. According to Mandiant, the ongoing campaign involves multiple malware families and appears to include several threat actors, notably the China-nexus group UNC5337. Ivanti strongly recommends that customers upgrade their ICS appliances to the latest versions to mitigate these vulnerabilities.
# What are CVE-2025-0282 and CVE-2025-0283?
## CVE-2025-0282
CVE-2025-0282 is an unauthenticated stack-based buffer overflow vulnerability in Ivanti Connect Secure (ICS) VPN appliances, also affecting Policy Secure and Neurons for
Wiz
CVE-2025-0282 and CVE-2025-0283: Ivanti 0days in the Wild | Wiz Blog
blogs_wiz·2025-01-09·CVSS 9.0
CVE-2025-0282 [CRITICAL] CVE-2025-0282 and CVE-2025-0283: Ivanti 0days in the Wild | Wiz Blog
Ivanti has confirmed active exploitation of two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, in Ivanti Connect Secure (ICS) VPN appliances. CVE-2025-0282, a zero-day vulnerability, has been exploited since December 2024, enabling unauthenticated remote code execution. According to Mandiant, the ongoing campaign involves multiple malware families and appears to include several threat actors, notably the China-nexus group UNC5337. Ivanti strongly recommends that customers upgrade their ICS appliances to the latest versions to mitigate these vulnerabilities.
## What are CVE-2025-0282 and CVE-2025-0283?
## CVE-2025-0282
CVE-2025-0282 is an unauthenticated stack-based buffer overflow vulnerability in Ivanti Connect Secure (ICS) VPN appliances, also affecting Policy Secure and Neurons fo
Bleepingcomputer
Ivanti warns of new Connect Secure flaw used in zero-day attacks
blogs_bleepingcomputer·2025-01-08·CVSS 9.0
CVE-2025-0282 [CRITICAL] Ivanti warns of new Connect Secure flaw used in zero-day attacks
## Ivanti warns of new Connect Secure flaw used in zero-day attacks
## Lawrence Abrams
Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances.
The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers' appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day.
CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a unauthenticated attacker
Tenable
CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-01-08·CVSS 9.0
[CRITICAL] CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2025-01-08
Published
Exploited in the wild