cbcvebase.
CVE-2025-0283
published 2025-01-08

CVE-2025-0283: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA…

PriorityP181high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
17.11%
96.7th percentile
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

Affected

16 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure< 9.19.1
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure>= 22.2 < 22.722.7
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantineurons_for_zero-trust_access
ivantipolicy_secure< 22.722.7
ivantipolicy_secure
ivantipolicy_secure

Detection & IOCsextracted from sources · hover to see the quote

path/home/webserver/htdocs/dana-na/auth/getComponent.cgi
path/home/webserver/htdocs/dana-na/auth/restAuth.cgi
path/root/home/lib/libsshd.so
path/root/home/lib/libsocks5.so
path/root/lib/libupgrade.so
path/tmp/.liblogblock.so
filenameldap.pl
filenamepackage.dll
pathC:\Users\Public\Music\package.dll
pathC:\Users\Public\Downloads\VM.txt
filenamevixDiskLib.dll
filenamedeelevator64.dll
filenameerror.dat
filenametemp.log
filenamemini.xml
filenamemsbuild.lnk
ip168.100.8[.]144
ip193.149.180[.]128
url/dana-na/auth/url_default/welcome.cgi
url/dana-na/auth/url_6/welcome.cgi
url/dana/home/index.cgi
registryDcomSrv
  • Look for IFT/IF-T connection errors in the Ivanti appliance debug.log file as a precursor indicator of CVE-2025-0282 exploitation attempts, especially from Tor or NordVPN exit nodes.
  • Detect the misspelled string 'DCOMLIENT' (missing 'S') embedded in vixDiskLib.dll binary as a unique indicator for this malware family.
  • Monitor for MSBuild.exe (LOLBIN) being used to compile and execute code from mini.xml, followed by creation of package.dll in C:\Users\Public\Music\.
  • Monitor for svchost.exe spawned in a suspended state followed by process hollowing, as the DLL sideloading malware uses this technique to load decrypted payloads.
  • Check for a scheduled task named '/mail' used for persistence to execute DeElevate64.exe and sideload deelevator64.dll.
  • Use Shodan query 'http.title:"ivanti connect secure"' to identify exposed Ivanti Connect Secure appliances for proactive asset discovery.
  • Attackers perform version reconnaissance by querying specific ICS URLs before exploitation; monitor for sequential GET requests to /dana-na/auth/ and /dana/home/ paths from external IPs.
  • Post-exploitation, monitor for SELinux being disabled and filesystem remounted on Ivanti appliances as preparation for malware deployment.
  • ·CVE-2025-0283 (local privilege escalation) shares the same affected version ranges as CVE-2025-0282 (remote RCE). No in-the-wild exploitation of CVE-2025-0283 specifically has been confirmed; all active exploitation observed is attributed to CVE-2025-0282.
  • ·Active exploitation has only been observed on Ivanti Connect Secure appliances; Policy Secure and ZTA Gateways have not been observed exploited in the wild.
  • ·The Nuclei detection template for CVE-2025-0282/CVE-2025-0283 performs passive version fingerprinting only and does not confirm active exploitation; it checks version strings extracted from web UI responses.

CVSS provenance

nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.