Skip to main content
close search
site logo

Ivanti zero-day has researchers scrambling

Threat hunters are on high alert as 900 Ivanti Connect Secure instances remain unpatched and vulnerable to exploitation, according to Shadowserver.

Published Jan. 13, 2025
Matt Kapko's headshot
Senior Reporter
Matrix background of blurred programming code.
Getty Plus via Getty Images

Threat hunters are scrambling to determine the scope of damage and potential impact from a critical zero-day vulnerability that impacts a trio of Ivanti products, including Ivanti Connect Secure VPN appliances.

Shadowserver scans identified more than 900 unpatched Ivanti Connect Secure instances on Sunday and said the devices are likely vulnerable to exploitation. The amount of unpatched and vulnerable instances found by Shadowserver scans is down from more than 2,000 on Thursday.

The nonprofit, which analyzes and shares malicious activity with more than 200 national computer security incident response teams covering 175 countries, was asked not to disclose how it knows these instances are unpatched, but has yet to receive any false positive feedback, Shadowserver CEO Piotr Kijewski told Cybersecurity Dive via email on Friday.

Researchers are especially concerned about widespread exploitation of the zero-day because of previous cyberattacks linked to software defects in Ivanti products.

“It’s unsurprising that a motivated threat group was able to find a new attack vector in a popular technology that typically sits in an exposed place in organizations’ environments, irrespective of the particular vendor,” Caitlin Condon, director of vulnerability intelligence at Rapid7, said via email.

The critical unauthenticated stack-based buffer overflow vulnerability, CVE-2025-0282, was discovered almost exactly one year after a threat group exploited a pair of separate zero-daysCVE-2023-46805 and CVE-2024-21887 — in the same Ivanti product.

Ivanti Connect Secure is the only product known to be impacted by active exploitation of the new zero-day, but CVE-2025-0282 also affects Ivanti Policy Secure and Ivanti Neurons for ZTA gateways.

Ivanti said it hasn’t seen evidence of active CVE-2025-0282 exploitation in Ivanti Policy Secure or Neurons for ZTA gateways and plans to release a patch for those products on Jan. 21.

The company also discovered a high-severity stack-based buffer overflow vulnerability, CVE-2025-0283, affecting the same three Ivanti products. “We have no indication that CVE-2025-0283 is being exploited or chained with CVE-2025-0282,” Ivanti said in a security advisory on its community forum.

What's going on with the new zero-day

The timing of Ivanti’s response and recovery efforts, and window of opportunity for threat groups to conduct active exploitation prior to public disclosure is significant.

Ivanti’s Integrity Checker tool identified active exploitation of CVE-2025-0282 the same day it occurred, a company spokesperson said Friday via email.

The new zero-day was actively exploited for weeks before Ivanti released a patch for Ivanti Connect Secure and publicly disclosed the vulnerability on Wednesday. Mandiant identified active exploitation of the zero-day in the wild beginning in mid-December 2024, the incident response firm said in a Wednesday threat intelligence brief.

“Ivanti worked closely with all known affected customers prior to disclosure, and alongside leading security experts Mandiant and Microsoft Threat Intelligence in responding to this threat and releasing a fix,” the Ivanti spokesperson said. “Exploitation to date has been limited.”

Ivanti, which released a patch for the CVE in Ivanti Connect Secure at the time of disclosure, did not say how many customers remain exposed or are already impacted from active exploitation.

The Cybersecurity and Infrastructure Security Agency added CVE-2025-0282 to its known exploited vulnerabilities catalog on Wednesday.

As of Friday, Censys identified more than 33,500 publicly exposed Ivanti Connect Secure instances. Most of the internet-facing instances, which aren’t necessarily vulnerable to exploitation, are located in the U.S. and Japan, Censys said in an advisory.

“Network edge devices are prime targets for attackers generally, across many vendors and product lines,” Condon said. “From the information available on CVE-2025-0282 so far, threat activity is at least in part being attributed to a state-sponsored threat group that has previously targeted these devices — meaning they likely had resources, strong motivation, and specialized knowledge of Ivanti Connect Secure devices.”

Organizations were hit by multiple actively exploited vulnerabilities in various Ivanti products last year, including Ivanti Cloud Service Appliance and Ivanti Endpoint Manager.

Editors' picks

Company Announcements

View all | Post a press release
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.