Dive Brief:
- Federal cyber authorities and researchers warn that attackers are exploiting a zero-day vulnerability in multiple Ivanti products, including Ivanti Connect Secure.
- Ivanti acknowledged CVE-2025-0282 was already exploited at the time of disclosure on Wednesday when it issued an advisory and released a patch for the critical unauthenticated stack-based buffer overflow vulnerability. The Cybersecurity and Infrastructure Security Agency added CVE-2025-0282 to its known exploited vulnerabilities catalog on Wednesday.
- “Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024,” Mandiant said in a Wednesday threat intelligence brief. “Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network.”
Dive Insight:
Researchers are concerned about widespread exploitation of the zero-day, which was discovered almost exactly one year after a threat group exploited a pair of zero-days in the same Ivanti product.
The prior zero-days, CVE-2023-46805 and CVE-2024-21887 were actively exploited for months, impacting multiple organizations, including CISA. The federal agency said a pair of its systems were impacted by the attacks, but no data was stolen.
Mandiant, which is working with Ivanti on response and recovery efforts, attributed some of the malware used in post-exploitation of CVE-2025-0282 to a China-nexus threat group it identifies as UNC5337. Mandiant suspects the group is part of UNC5221, which actively exploited the previous pair of zero-days in Ivanti Connect Secure devices as early as January 2024.
“It is possible that multiple actors are responsible for the creation and deployment of these various code families, but as of publishing this report, we don't have enough data to accurately assess the number of threat actors targeting CVE-2025-0282,” Mandiant researchers said in the threat intelligence brief.
Post-exploitation activities observed by Mandiant include lateral movement across victim environments, log entry removal, network tunneling and credential harvesting. Attackers also duped some network security responders who were trying to patch systems.
“The threat actor implemented a novel technique to trick administrators into thinking they’ve successfully upgraded a system. The threat actor deployed malware which blocks legitimate system upgrades while simultaneously displaying a fake upgrade progress bar,” Mandiant Consulting CTO Charles Carmakal said in a Wednesday LinkedIn post.
“This creates a convincing facade of a successful update, when in reality, the malware silently prevents the actual upgrade from taking place. Some organizations may assume they’ve addressed the vulnerability when they actually haven’t,” Carmakal said.
CISA also issued an alert on Wednesday urging organizations to hunt for malicious activity on Ivanti instances and report findings to the federal agency.
“We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure,” Ivanti said in the security advisory. “We are not aware of these CVEs being exploited in Ivanti Policy Secure or Neurons for ZTA gateways.”
Ivanti customers were hit by multiple actively exploited CVEs in various products last year, including Ivanti Cloud Service Appliance and Ivanti Endpoint Manager.
