Ivanti is facing serious issues once again. Two new vulnerabilities have come to light, and they seem to be exploited by hackers linked to China. These vulnerabilities, known as CVE-2025-0282 and CVE-2025-0283, affect several Ivanti products, including Connect Secure, Policy Secure, and Neurons for ZTA.
The first vulnerability, CVE-2025-0282, allows attackers to execute code remotely without authentication. The second, CVE-2025-0283, helps a locally authenticated attacker gain higher privileges. CVE-2025-0282 is classified as a zero-day and has already made its way into the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog. In the UK, the National Cyber Security Centre (NCSC) is currently investigating the impact on networks in their territory.
As of January 9, 2025, Ivanti reported that only a small number of Connect Secure users have been affected by CVE-2025-0282. Users of Policy Secure and ZTA gateways remain unaffected, and there’s no evidence yet that CVE-2025-0283 has been exploited. Ivanti has released a patch for Connect Secure, but Policy Secure and Neurons for ZTA still await a fix, which is expected by January 21.
An Ivanti representative emphasized their commitment to customer support and collaboration with law enforcement. They recommend that all customers closely monitor their networks to maintain security. They’ve also allocated extra resources to help clients implement the patch and address any concerns.
In a related note, Google Cloud’s Mandiant has been investigating these vulnerabilities. They reported that at least one hacker has used these flaws to deploy parts of the SPAWN malware suite. This activity ties back to a threat group known as UNC5337, linked with another suspected Chinese group that targeted Ivanti vulnerabilities earlier in 2024. Mandiant’s CTO, Charles Carmakal, urges Ivanti users to apply patches right away but warns that the process could be risky. Attackers have been known to create fake upgrade progress bars that mislead administrators into thinking their systems have been updated, while malware prevents any real upgrades.
Benjamin Harris, CEO of WatchTowr, is sounding the alarm for Ivanti users. He sees serious dangers here, noting that this situation is reminiscent of issues seen in January 2024. He expressed concern over the delayed patches for Policy Secure and Neurons for ZTA and insists these appliances should be taken offline until those patches are ready. He cautions all users to treat the situation with urgency, stressing that the timing of their response could have major implications for their organizations.