Dive Brief:

• Researchers tracking a recently disclosed zero-day vulnerability in Ivanti Connect Secure said hundreds of instances may have been compromised through exploits of CVE-2025-0282. Shadowserver scans identified 379 new backdoored instances on Wednesday.
• “The backdoor was originally discovered by the National Cyber Security Centre of Finland in a CVE-2025-0282 exploitation case,” Shadowserver CEO Piotr Kijewski told Cybersecurity Dive via email on Friday. The agency shared remote detection methodology with Shadowserver, allowing it to scan the internet for confirmed compromises and notify affected entities, Kijewski said.
• Ivanti did not say how many devices were compromised via CVE-2025-0282 exploits or remain unpatched. “The facts as we know them remain consistent with our Jan. 8 disclosure. We encourage focusing on verified facts to ensure accurate reporting,” a company spokesperson said Friday via email.

Dive Insight:

Actively exploited vulnerabilities in Ivanti products are a recurring problem for the vendor’s customers. Multiple attack sprees during the last year targeted zero-day vulnerabilities in Ivanti Connect Secure, Ivanti Cloud Service Appliance and Ivanti Endpoint Manager.

The Cybersecurity and Infrastructure Security Agency has added 12 Ivanti CVEs to its known exploited vulnerabilities catalog since Jan. 1, 2024.

Kijewski said it’s difficult to quantify the exact number of Ivanti Connect Secure instances compromised via the latest zero day affecting the VPN product. Some of the backdoors found by Shadowserver scans could be attributed to other malicious activity, Kijewski said.

Ivanti Connect Secure customers running versions affected by CVE-2025-0282 resolved the issue relatively fast compared to previous vulnerabilities in the same product, Kijewski said.

Yet, the number of Ivanti Connect Secure devices running a version vulnerable to CVE-2025-0282 remains high, according to Censys research. Excluding honeypots, Censys found 13,954 Ivanti Connect Secure devices exposed and unpatched on Friday, said Himaja Motheram, security researcher at Censys.

Censys detected nearly 33,000 Ivanti Connect Secure devices publicly exposed to the internet as of Friday.

“This is a serious situation. Exploitation has been going on for around two months at this stage, patching appears to be slow, and prominent organizations are being breached,” Motheram said Friday via email.

“Considering the repeated history of critical security flaws and global incidents tied to Ivanti devices, there’s increasingly little justification for using them from a security standpoint,” Motheram said.

While Shadowserver’s findings aren’t definitive with respect to which vulnerabilities are responsible for the compromised instances it found this week, the number of backdoored Ivanti Connect Secure devices is likely even higher, Motheram said.

Stephen Fewer, principal security researcher at Rapid7, shared similar concerns about active CVE-2025-0282 exploits.

“Compromising a VPN appliance on the network edge not only gives an attacker a gateway into your network but often gives an attacker access to user credentials that helps the attacker to move deeper into the compromised network. As such, this is a very serious incident,” Fewer said Friday via email.

Ivanti and researchers tracking CVE-2025-0282 urge organizations to patch any versions of Ivanti Connect Secure affected by the vulnerability. “We can confirm that the patched version successfully remediates the root cause of the vulnerability,” Fewer said.