Vulnerabilities in Ivanti Connect Secure, Policy Secure, and ZTA Gateways (CVE-2025-0282, CVE-2025-0283)

Bar Refael

January 9, 2025

Ivanti Vulnerabilities (CVE-2025-0282, CVE-2025-0283): Ivanti disclosed critical flaws in Connect Secure, Policy Secure, and ZTA gateways, including CVE-2025-0282 (active RCE exploitation since Dec 2024) and CVE-2025-0283 (local privilege escalation). Immediate patching, integrity checks, and incident response are essential to mitigate risks.

  • CVE-2025-0282: A stack-based buffer overflow vulnerability allowing unauthenticated remote code execution. This flaw has been actively exploited in the wild since mid-December 2024.
  • CVE-2025-0283: A stack-based buffer overflow vulnerability enabling privilege escalation for locally authenticated attackers. Currently, there is no evidence of active exploitation of this vulnerability.

Affected Versions:

  • CVE-2025-0282:
    • Ivanti Connect Secure versions 22.7R2 through 22.7R2.4
    • Ivanti Policy Secure versions 22.7R1 through 22.7R1.2
    • Ivanti Neurons for ZTA gateways versions 22.7R2 through 22.7R2.3
  • CVE-2025-0283:
    • Ivanti Connect Secure versions 22.7R2.4 and prior, 9.1R18.9 and prior
    • Ivanti Policy Secure versions 22.7R1.2 and prior
    • Ivanti Neurons for ZTA gateways versions 22.7R2.3 and prior

Exploitation Details:

The exploitation of CVE-2025-0282 involves:

  • Disabling SELinux
  • Preventing syslog forwarding
  • Remounting the drive as read-write
  • Executing scripts to deploy web shells
  • Modifying logs to remove specific entries
  • Re-enabling SELinux
  • Remounting the drive

These steps facilitate unauthorized access and persistence on compromised devices.

Mitigation Steps:

  1. Immediate Actions:
    • Run the In-Build Integrity Checker Tool (ICT) to detect potential compromises.
    • Conduct thorough threat hunting on systems connected to the affected devices.
  2. If No Compromise is Detected:
    • Perform a factory reset of the device.
    • Apply the latest patches as per Ivanti’s security advisory.
    • Monitor authentication and identity management services for anomalies.
    • Audit privileged access accounts regularly.
  3. If Compromise is Detected:
    • Immediately report the incident to CISA and Ivanti.
    • Disconnect affected devices from enterprise resources.
    • Isolate compromised systems.
    • Revoke and reissue all connected or exposed certificates, keys, and passwords.
    • Reset passwords for local users and service accounts on the gateway.
    • For compromised domain accounts, reset passwords twice, revoke Kerberos tickets, and disable affected devices in cloud environments.
  4. Post-Incident Actions:
    • Apply all relevant patches.
    • Restore systems to normal operations.

References:

  • Ivanti Security Advisory for CVE-2025-0282 and CVE-2025-0283
  • CISA Known Exploited Vulnerabilities Catalog

Conclusion:

The active exploitation of CVE-2025-0282 poses a significant threat to organizations using Ivanti’s Connect Secure, Policy Secure, and ZTA gateways. Immediate action is required to mitigate risks, including applying patches, conducting thorough system assessments, and following incident response protocols.