The cybersecurity industry is urging organizations to take action as Ivanti addresses two new vulnerabilities, one of which is actively being exploited.
The cybersecurity industry is urging organizations to take mitigation efforts seriously as Ivanti battles two dangerous new vulnerabilities, one of which was already being exploited as a zero-day. It's just under a year since the last high-profile security snafu hit the vendor and now two new flaws are ready to be patched at the earliest opportunity. The worst of the two is a stack-based buffer overflow bug leading to unauthenticated remote code execution.
This is the one that was already exploited, affecting Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3. The lesser of the two evils is another stack-based buffer overflow leading to privilege escalation for locally authenticated attackers. The same products and versions are affected. The two issues aren't believed to be chained in the attacks. Ivanti said that CVE-2025-0282 is the exploited zero-day, but they just happened to find CVE-2025-0283 during the threat-hunting phase and decided to include it in the Ivanti customers looking for guidance now are advised to run its Integrity Checker Tool (ICT), which offers a little more information about the state of their appliance but shouldn't be relied upon to detect exploit activity or indicators of compromise. 'The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state,' Ivanti said in its advisory.'The ICT does not scan for malware or other Indicators of Compromise. Customers should run the ICT in conjunction with other monitoring tools. 'Indicators of Compromise will be shared with customers that have confirmed impact to move them forward in their forensics investigation. If customers require additional information, they should open a ticket with support.' Updates for Connect Secure are out now, with the vendor urging all users to upgrade to version 22.7R2.5 or later as soon as possible, after performing a factory reset of the device. However, Policy Secure and ZTA Gateways won't receive their upgrades until January 21. Ivanti said in its advisory that the former should never be exposed to the web anyway, and isn't known to be a target of the ongoing exploits.Ivanti patches exploited admin command execution flawThe latter can't be exploited while in production, but if a gateway is generated and left unconnected to a ZTA controller, then a risk of exploitation exists, Ivanti said.Mandiant was drafted in to help Ivanti with the investigations into the known exploits and the threat intel specialists detailed the attacks in its own blog, noting the incidents occurred as early as mid-December. In at least one case currently under examination, the group behind the attacks deployed payloads from the Spawn ecosystem of malware, which has previously been linked with the activity cluster Mandiant tracks as UNC5337, which in turn has ties to UNC5221 – a known China-nexus group. Other appliances have shown signs of novel malware families, which are now being tracked as Dryhook and Phasejam. Never seen before, these families aren't tied to a specific group or activity cluster. 'It is possible that multiple actors are responsible for the creation and deployment of these various code families (i.e. Spawn, Dryhook, and Phasejam), but as of publishing this report, we don't have enough data to accurately assess the number of threat actors targeting CVE-2025-0282,' Mandiant According to the folks over at watchTowr, who are still working through their own investigations of the issues, the activity has the hallmarks of an advanced persistent threat (APT) campaign. Benjamin Harris, watchTowr's CEO, said:'Our concern is significant as this has all the hallmarks of APT usage of a zero-day against a mission-critical appliance. It also resembles the behavior and drama circulating Ivanti products that we as an industry saw in January 2024, and we can only hope that Ivanti has learned from that experience with regard to actioning an effective response. 'Ivanti Connect Secure users have a patch available, but once again - patches for other affected appliances like Ivanti's Policy Secure and Neurons for ZTA gateways are left waiting three weeks for a patch. Users of these products should not hesitate – these appliances should be pulled offline until patches are available. 'watchTowr client or not – we urge everyone to please take this seriously. Throw your vulnerability SLAs into the proverbial wind in situations like this, they are no longer relevant and the difference between a rapid response, and a response in hours, could be the difference between your organization calling your cyber insurer or not.' Mandiant added that'defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access.' Should public exploits be made available, other groups and individuals are likely to exploit the vulnerabilities as well, so applying the available patches and pulling Policy Secure and ZTA Gateway appliances offline should be carried out as soon as possible
CYBERSECURITY VULNERABILITIES EXPLOTATION IVANTI APT ZERO-DAY
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Three more vulns spotted in Ivanti CSA, all critical, one 10/10Patch up, everyone – that admin portal is mighty attractive to your friendly cyberattacker
Read more »
Boy, 2, dies and two critical after hit-and-run in SmethwickTwo adults remain in a serious condition in hospital and another two are stable after the crash.
Read more »
Two Teenagers Jailed for Life for Murders of Two Boys in BristolTwo teenage boys have been sentenced to life in prison for the murders of two other teenage boys in Bristol. The victims, Mason Rist and Max Dixon, were killed in a case of mistaken identity after being chased and stabbed by a group of four teenagers. The judge described the murders as 'senseless' and said that the victims had 'done nothing wrong'.
Read more »
Two Teens Jailed for Life for Murders of Two Boys in BristolTwo teenagers have been sentenced to life in prison for the murders of two boys in Bristol. The attack, which occurred in January, was a case of mistaken identity.
Read more »
Two new Gladiators joining BBC smash hit for super-sized series two...First look at Gladiators filming new series as The One Show star goes behind the scenes
Read more »
Two red cards in Big Two stalemate as Carrick frustrate LarneLive text, audio and in-play clip coverage of the festive games including Glentoran hosting leaders Linfield and Crusaders taking on derby rivals Cliftonville.
Read more »