CVE-2025-0282 is a critical stack overflow vulnerability affecting Ivanti network appliances, allowing remote code execution by unauthenticated attackers. Disclosed on January 8, 2025, it has been actively exploited since mid-December 2024. Ivanti and Mandiant are investigating the exploitation, which includes post-exploitation activities like lateral movement and malware deployment. Affected: Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways
Keypoints :
- CVE-2025-0282 is a critical vulnerability with a CVSS score of 9.0.
- Affects Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways.
- Allows remote unauthenticated attackers to execute arbitrary code.
- Exploitation has been observed since mid-December 2024.
- Ivanti recommends using the Integrity Checker Tool for signs of compromise.
- Patch for Ivanti Policy Secure and Neurons for ZTA gateways is expected on January 21, 2025.
- Joint investigation by Ivanti and Mandiant is ongoing.
- SPAWN malware deployment has been detected post-exploitation.
- 33,542 exposed Ivanti Connect Secure instances identified by Censys.
MITRE Techniques :
- Execution (T1203): Exploitation of the stack overflow vulnerability allows for arbitrary code execution.
- Lateral Movement (T1021): Post-exploitation activities include lateral movement within the network.
- Command and Control (T1071): Potential use of SPAWN malware for command and control operations.
Indicator of Compromise :
- [tool name] SPAWN
- [others ioc] Integrity Checker Tool
- [others ioc] Censys Exposed Instances
- Check the article for all found IoCs.
Full Research: https://censys.com/cve-2025-0282/