US software giant Ivanti has warned that a zero-day vulnerability in its widely used enterprise VPN appliance has been exploited to infiltrate enterprise customers' networks.
Ivanti said Wednesday that the severity vulnerability, tracked as CVE-2025-0282, could be exploited without authentication to remotely plant malicious code in Ivanti's Connect Secure, Policy Secure, and ZTA Gateways products. It was announced that there is. Ivanti says its Connect Secure remote access VPN solution is “the most widely adopted SSL VPN by organizations of all sizes in every major industry.”
This is the latest security vulnerability to be exploited targeting Ivanti products in recent years. Last year, the technology maker pledged to overhaul its security processes after hackers exploited vulnerabilities in several of its products in a major hack against its customers.
The company said it became aware of the latest vulnerability after the Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.
In an advisory post published Wednesday, Ivanti confirmed that threat actors are actively exploiting CVE-2025-0282 as a “zero-day.” This means the company didn't have time to fix the vulnerability before it was discovered and exploited. We are aware of a “limited number of customers” whose Ivanti Connect Secure appliances were hacked.
Ivanti said a patch for Connect Secure is available now, but patches for Policy Secure and ZTA Gateway (neither of which are known to be exploitable) won't be released until January 21st.
The company said it also discovered a second vulnerability, tracked as CVE-2025-0283, but it has not yet been exploited.
Ivanti did not say how many customers were affected by the hack or who was behind the breach. An Ivanti spokesperson did not respond to TechCrunch's questions by press time.
Incident response firm Mandiant, which discovered the vulnerability along with Microsoft researchers, said in a blog post published late Wednesday that its researchers believe hackers could exploit the Connect Secure zero-day by mid-December 2024. He said he had observed him doing so.
Mandiant said in an email to TechCrunch that while the exploit was not attributed to a specific attacker, it is suspected to be a China-linked cyber espionage group tracked under the designations UNC5337 and UNC5221. This is the same cluster of threat group activity that exploited two zero-day vulnerabilities in Connect Secure to launch a major hack against Ivanti customers in 2024, Mandiant said in a blog post on Wednesday. Ta.
Ben Harris, CEO of security research firm watchTowr Labs, told TechCrunch in an email that the company is aware of the “widespread impact” as a result of this latest Ivanti VPN flaw and is “taking steps to ensure our customers are aware.” “We work with customers all day long.” ”
Harris added that the attack “has all the hallmarks that make this vulnerability a serious concern.” [an advanced persistent threat] “Zero-day use on mission-critical appliances,” he said, urging everyone to “take this seriously.”
The UK's National Cyber Security Center said in an advisory that it was “investigating instances of active exploitation affecting UK networks”. The US cybersecurity agency CISA also added the vulnerability to its catalog of known exploited vulnerabilities.