Summary: Ivanti has reported a critical security vulnerability (CVE-2025-0282) affecting its products, which is currently being actively exploited, allowing unauthenticated remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate patching.
Threat Actor: UNC5337 | UNC5337
Victim: Ivanti | Ivanti
Key Point :
- CVE-2025-0282 is a stack-based buffer overflow with a CVSS score of 9.0, affecting multiple Ivanti products.
- The exploitation process involves disabling SELinux, executing scripts, and installing malware such as PHASEJAM and DRYHOOK.
- Mandiant has linked the exploitation to the China-nexus threat actor UNC5337, which is believed to be part of a larger group.
- The attack demonstrates sophisticated techniques, including the removal of logs and persistence mechanisms to evade detection.
- CISA has mandated federal agencies to apply patches by January 15, 2025, and to monitor for signs of compromise.
Source: https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html