БлогCybersecurity
Cybersecurity

CVE-2025-0282 & CVE-2025-0283: Ivanti Connect Secure Zero-Days Actively Exploited — Full Analysis & Fix

Two critical zero-day vulnerabilities in Ivanti Connect Secure are being actively exploited by nation-state actors. We break down exactly what happened, who is affected, how to detect compromise, and the complete remediation steps.

S

Sarah Chen

Senior Cybersecurity Engineer with 12+ years of experience in penetration testing and security architecture.

January 15, 2026
22 минута чтения

What Happened: The Ivanti Zero-Day Crisis

In early 2025, Ivanti disclosed two critical vulnerabilities in its widely-deployed Connect Secure (formerly Pulse Secure) VPN appliance. CVE-2025-0282 is a stack-based buffer overflow vulnerability with a CVSS score of 9.0, allowing unauthenticated remote code execution. CVE-2025-0283 is a privilege escalation flaw rated CVSS 7.0 that allows a local authenticated attacker to escalate privileges.

What made this incident particularly alarming was that CVE-2025-0282 was being actively exploited before Ivanti was even aware of it — a textbook zero-day scenario. Mandiant tracked the exploitation activity back to a Chinese state-sponsored threat actor they track as UNC5337, a subgroup of UNC5221 which previously exploited Ivanti devices in 2024.

Organizations using Ivanti Connect Secure, Ivanti Policy Secure, and ZTA Gateways were all affected. Given that Connect Secure is used by thousands of enterprises for remote access, the blast radius was enormous.

Technical Deep Dive: How CVE-2025-0282 Works

The vulnerability exists in the ISAPI web server component of Ivanti Connect Secure. When the appliance processes certain HTTP requests, it copies user-supplied data into a fixed-size stack buffer without proper bounds checking. An attacker can craft a malformed request that overflows this buffer, overwriting the return address and redirecting execution to attacker-controlled shellcode.

# Simplified representation of the vulnerable code pattern
void process_request(char *user_input) {
    char buffer[256];           // Fixed-size stack buffer
    strcpy(buffer, user_input); // No bounds check — VULNERABLE
    // ... rest of processing
}

# Attacker sends input longer than 256 bytes
# Overwrites stack return address → RCE

The attack chain observed by Mandiant involved:

  1. Initial exploitation of CVE-2025-0282 to gain unauthenticated RCE as the web server process
  2. Deployment of the SPAWN malware family (SPAWNANT, SPAWNMOLE, SPAWNSNAIL)
  3. Use of CVE-2025-0283 to escalate from web server user to root
  4. Persistence via modification of legitimate components to survive factory resets
  5. Lateral movement into internal networks using the VPN appliance as a pivot point

Who Is Affected

The following Ivanti products and versions are vulnerable:

  • Ivanti Connect Secure: All versions before 22.7R2.5
  • Ivanti Policy Secure: All versions before 22.7R1.2 (no active exploitation observed)
  • Ivanti Neurons for ZTA Gateways: All versions before 22.7R2.3 (no active exploitation observed)

If you are running any version of Ivanti Connect Secure and have not patched to 22.7R2.5 or later, assume you are vulnerable. If your device is internet-facing — which is the entire purpose of a VPN gateway — exploitation is actively occurring in the wild.

Detection: How to Know If You Were Compromised

Ivanti released an updated Integrity Checker Tool (ICT) that can detect the SPAWN malware implants. Run this immediately:

# Step 1: Download the latest ICT from Ivanti support portal
# Run it from the admin console or via SSH

# Step 2: Check for known SPAWN indicators on the filesystem
find / -name "liblogblock.so" 2>/dev/null    # SPAWNANT
find / -name "libdsupgrade.so" 2>/dev/null  # SPAWNMOLE  
find / -name "sshd_ikey" 2>/dev/null        # SPAWNSNAIL backdoor SSH

# Step 3: Check for unauthorized SSH keys
cat /data/runtime/etc/ssh/authorized_keys

# Step 4: Review web server access logs for exploit attempts
grep -E "../|%2e%2e|buffer_overflow_pattern" /var/log/web/access.log

# Step 5: Check for unusual outbound connections
netstat -an | grep ESTABLISHED | grep -v ":443|:80|:22"

Beyond the ICT, look for these behavioral indicators:

  • Unexpected processes running as root on the appliance
  • Modified system binaries (check with rpm -V or debsums)
  • Outbound connections to unusual IPs, especially on non-standard ports
  • SSH connections from IPs that don't match your admin IP allowlist
  • Log gaps — attackers often clear logs after compromise

Immediate Response Steps

If you have a vulnerable Ivanti Connect Secure appliance, here is the priority-ordered response plan:

Step 1: Isolate and Assess (First Hour)

# Block all inbound traffic to the appliance except from your admin IPs
# Do this at your perimeter firewall/WAF — NOT on the appliance itself
# (the appliance may already be compromised)

# AWS WAF rule to block all traffic to Ivanti appliance IP
aws wafv2 create-ip-set   --name "ivanti-admin-only"   --scope REGIONAL   --ip-address-version IPV4   --addresses "YOUR.ADMIN.IP/32"

Step 2: Run Factory Reset (Not Sufficient Alone)

Ivanti has confirmed that the SPAWNANT implant can survive a factory reset by modifying the upgrade package. A factory reset is necessary but not sufficient. You must:

  1. Perform a factory reset via the admin console
  2. Re-flash the firmware from a trusted Ivanti source
  3. Apply patch 22.7R2.5 immediately after
  4. Re-run the ICT to verify clean state

Step 3: Patch to 22.7R2.5

Download the official patch from the Ivanti support portal (requires authenticated access). Apply via the admin console under Maintenance → System Upgrade. Verify the SHA-256 hash of the package before applying:

# Verify patch integrity before applying
sha256sum ivanti-cs-22.7R2.5.pkg
# Compare against hash published in Ivanti security advisory

# After patching, verify version
curl -sk https://YOUR_IVANTI_IP/api/v1/version | python3 -m json.tool

Step 4: Credential Rotation (Critical)

If your appliance was compromised, all credentials that transited through it must be considered compromised. This includes:

  • All VPN user passwords
  • Service account credentials used for LDAP/AD authentication
  • Any certificates stored on or presented by the appliance
  • Admin console credentials
  • API keys configured in the appliance

Long-Term Hardening

After patching and recovery, implement these controls to reduce future exposure:

Network Segmentation

# Place your VPN gateway in a dedicated DMZ segment
# Only allow the minimum required traffic:

# From Internet → VPN Gateway: TCP 443 only
# From VPN Gateway → Internal: Only to required internal subnets
# VPN Gateway Management → Only from admin jump server IP

# Example iptables rules for the appliance itself
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s YOUR_JUMP_SERVER_IP -j ACCEPT
iptables -A INPUT -j DROP

Enable Geo-Blocking at WAF Layer

If your user base is confined to specific countries, implement geo-blocking at your WAF to reduce exposure to nation-state attackers:

# AWS WAF geo-match rule
aws wafv2 create-rule-group   --name "GeoBlockVPN"   --scope REGIONAL   --capacity 10   --rules '[{
    "Name": "BlockHighRiskCountries",
    "Priority": 0,
    "Statement": {
      "GeoMatchStatement": {
        "CountryCodes": ["CN", "RU", "KP", "IR"]
      }
    },
    "Action": {"Block": {}},
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "GeoBlock"
    }
  }]'

Consider Migrating to Zero Trust Architecture

The repeated exploitation of Ivanti and other VPN appliances underscores a fundamental architectural weakness: traditional VPN gateways present a single high-value target that, once compromised, grants broad network access. Zero Trust Network Access (ZTNA) solutions like Cloudflare Access, Zscaler Private Access, or open-source alternatives like Teleport eliminate this single point of failure by authenticating each connection individually at the application layer.

CISA Emergency Directive

CISA issued Emergency Directive 25-01 requiring all federal civilian agencies to disconnect affected Ivanti products from networks and run the ICT before reconnecting. While this directive technically applies only to federal agencies, it signals the severity level that private sector organizations should also treat this vulnerability with.

Lessons Learned

This incident highlights several recurring patterns in enterprise VPN security:

  • VPN appliances are prime targets — they sit at the network perimeter, run complex code, and are often less frequently patched than servers
  • Factory resets are not safe recovery methods — sophisticated attackers can persist through them
  • Integrity verification matters — always use vendor-provided integrity tools after a suspected compromise
  • Zero-day exploitation happens within hours — your patch window after disclosure may be measured in minutes, not days

For organizations still running Ivanti Connect Secure: patch now, run the ICT, and start evaluating ZTNA alternatives for your next refresh cycle. The pattern of critical VPN vulnerabilities shows no sign of slowing down.

Теги

#CVE#Ivanti#Zero-Day#VPN Security#Incident Response#Threat Intelligence#Patch Management
S

Sarah Chen

Senior Cybersecurity Engineer with 12+ years of experience in penetration testing and security architecture.

Похожие статьи

Cybersecurity

AWS WAF Rule Tuning: Eliminating False Positives While Blocking Real Attacks

AWS WAF blocks attacks but also breaks legitimate traffic. This guide covers tuning managed rule groups, writing custom rules, reducing false positives with Count mode, log analysis with Athena, and production hardening strategies that protect without breaking your application.

Sarah Chen21 минута чтения
Cybersecurity

SSL/TLS Certificate Automation: Let's Encrypt, ACME, and Zero-Touch Certificate Lifecycle Management

Manual SSL certificate management causes outages. Automate the entire certificate lifecycle with Let's Encrypt, cert-manager, Caddy, and Vault PKI. Covers ACME protocol internals, wildcard certificates via DNS-01 challenge, internal PKI for private services, and monitoring expiry.

Sarah Chen21 минута чтения
Cybersecurity

Oracle Cloud Infrastructure (OCI) Account Compromised: Complete Recovery Guide

Oracle Cloud Infrastructure accounts are increasingly targeted by attackers exploiting API keys, OCI CLI configuration files, and the Always Free tier. This detailed guide covers immediate containment using OCI IAM and policies, forensic investigation with Audit logs, recovery across Compute, Object Storage, and Database services, billing dispute steps, and full security hardening.

Sarah Chen19 минута чтения

Готовы преобразовать свою инфраструктуру?

Давайте обсудим, как мы можем помочь вам достичь подобных результатов.

Запланировать консультациюПросмотреть больше статей