Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product

Protect your Cloud Assets with AccuKnox Zero Trust Security Platform

Security Week recently announced iVanti’s Zero Day attack.

In today’s digital landscape, ensuring robust security involves more than just protecting external access points like Virtual Private Networks (VPNs). While VPNs remain integral for remote access, their vulnerabilities expose organizations to significant risks. The focus must shift from solely securing VPNs to addressing critical internal security challenges.

The Problem with VPNs and External Access Points

VPNs have long been the go-to solution for remote workers and secure connections to internal networks. While they offer encrypted communication, they also present an inherent risk when exposed to potential vulnerabilities. Cyberattacks like credential stuffing, man-in-the-middle attacks, or exploiting VPN flaws can compromise the entire internal network.

The challenge arises when organizations assume that once a user is authenticated through a VPN, they are inherently trusted. This “trust but verify” model can be easily exploited by attackers if the VPN is breached. This means that attackers who gain access to VPN credentials or exploit VPN weaknesses can have unfettered access to critical internal systems.

The Ivanti Incident: A Wake-Up Call for VPN Security

The vulnerabilities disclosed by Ivanti in its Connect Secure (ICS) VPN appliances highlight the pressing need for robust security measures. On January 8, 2025, Ivanti revealed two critical vulnerabilities, CVE-2025-0282 and CVE-2025-0283, which demonstrate the severe risks posed by VPN weaknesses.

To this end, we are issuing an important security update addressing recently identified vulnerabilities for Ivanti Connect Secure, Policy Secure and Neurons for ZTA gateways. We are reporting the vulnerabilities as CVE-2025-0282 and CVE-2025-0283. We are aware of a limited number of customers’ Ivanti Connect Secure appliances which have been exploited by CVE-2025-0282 at the time of disclosure.

~ Ivanti Security Update Blog

Detailed Breakdown of the Vulnerabilities

CVE-2025-0282: Stack-Based Buffer Overflow

CVE-2025-0282 is a critical vulnerability that allows unauthenticated remote code execution via a stack-based buffer overflow. Attackers exploit this vulnerability by sending crafted HTTP requests to determine the appliance version, after which they disable key security features like SELinux, remount the filesystem for write access, and deploy web shells to establish persistence. The exploit can lead to the deployment of malware and further network compromise.

CVE-2025-0283: Privilege Escalation (Potential)

While less is known about CVE-2025-0283, it’s likely related to privilege escalation or improper input validation, enabling attackers to gain higher privileges on already-compromised systems. This vulnerability, though not yet actively exploited, could amplify the effects of CVE-2025-0282 and lead to more sophisticated attacks.

Affected Versions

Exploitation in the Wild

The exploitation of CVE-2025-0282 has been confirmed by Mandiant, with attackers leveraging sophisticated reconnaissance techniques to exploit vulnerabilities in Ivanti VPN appliances. These attacks exemplify the growing trend of adversaries targeting enterprise VPN solutions, often regarded as critical gateways to sensitive networks.

Exploitation Tactics

Attackers employ a combination of reconnaissance and exploitation techniques to infiltrate systems. Some of these include:

• Targeted Reconnaissance: Using tools like Nmap and custom scripts, attackers identify appliance versions vulnerable to exploitation.
• Crafted Payload Delivery: Malicious HTTP requests are crafted to exploit the stack-based buffer overflow, leading to unauthenticated remote code execution.
• Post-Exploitation Persistence: Deployment of web shells, Base64-encoded scripts, and ELF binaries enables attackers to maintain long-term access to compromised systems.
• Privilege Escalation: Using tools like sudo, attackers escalate privileges to execute advanced commands and disable security features, including SELinux.

Blast Radius of the Attack

The consequences of successful exploitation extend far beyond the initial point of compromise. Key aspects of the blast radius include:

1. Network-Wide Compromise:
   • Attackers gain unfettered access to internal networks, enabling lateral movement to other systems and endpoints.
   • Sensitive data from databases and servers can be exfiltrated, exposing organizations to compliance violations.
2. Operational Disruption:
   • Deployment of ransomware or other destructive payloads can halt business operations, resulting in downtime and financial losses.
   • Systems crucial for business continuity may require extensive restoration efforts.
3. Data Breach:
   • Intellectual property, customer data, and proprietary information become targets for exfiltration and blackmail.
   • Data breaches can have long-lasting reputational damage.
4. Infrastructure Sabotage:
   • Attackers can manipulate or delete configurations, crippling IT systems, and cloud services.
   • This results in extensive recovery times and potential loss of operational capabilities.
5. Supply Chain Impacts:
   • The compromise of a single organization can cascade into its supply chain, affecting partners and customers who rely on shared services or infrastructure.

Known Exploitation Patterns

Evidence from Mandiant and other security firms reveals a systematic approach to these attacks:

Step 1: Identifying and targeting vulnerable versions of VPN appliances.
Step 2: Exploiting CVE-2025-0282 for initial access and deploying web shells for persistence.
Step 3: Establishing command-and-control channels to orchestrate further actions, including credential harvesting.
Step 4: Conduct internal reconnaissance using tools like dig to gather DNS information and Nmap to map the network.
Step 5: Escalating privileges and launching lateral movement campaigns to compromise additional nodes.

Indicators of Compromise (IoCs)

The exploitation is linked to various malware families, with indicators including:

Impacts on Organizational Security

The exploitation of these vulnerabilities undermines the trust placed in VPN appliances as secure access points. Without robust detection and response mechanisms, organizations may find themselves blind to ongoing attacks. Key organizational impacts include:

• Legal and Regulatory Consequences: Compliance violations due to data breaches may result in fines under GDPR, HIPAA, or similar frameworks.
• Economic Losses: Downtime, breach notifications, and customer compensation contribute to high remediation costs.
• Erosion of Stakeholder Trust: Clients, investors, and partners may lose confidence in the organization’s ability to safeguard sensitive information.

Recommended Actions

Organizations should immediately upgrade their Ivanti Connect Secure products to the latest versions. Ivanti recommends using the Integrity Checker Tool (ICT) for scanning both external and internal systems for potential compromise.

If a scan indicates compromise, Ivanti advises performing a factory reset, followed by reinstallation using the latest patched version (22.7R2.5).

For Ivanti Neurons for ZTA Gateways and Ivanti Policy Secure, patches will be released by January 21, 2025.

CVE-2025-0282 and CVE-2025-0283 are severe vulnerabilities that illustrate how weaknesses in external access points like VPNs and endpoint management systems can be exploited to gain full internal access. In these cases, attackers could escalate privileges or perform lateral movements across the network once access was gained, highlighting a significant internal security gap.

While securing external access points is important, the focus should not solely be on them. Strong internal security is just as crucial, especially considering the risks of lateral movement by attackers once they penetrate the network. If an attacker breaches a VPN or an internal device, they can move across the network, increasing the chances of compromising sensitive data, applications, and systems.

How AccuKnox Zero Trust Security be your partner?

In today’s rapidly evolving cyber threat landscape, ensuring robust cloud security is paramount for organizations. As businesses increasingly move to the cloud, traditional security approaches such as perimeter defenses no longer suffice. This is where Zero Trust security—an approach that assumes no trust, either inside or outside the network—becomes crucial.

The attack on Ivanti’s VPN appliances exploited vulnerabilities (CVE-2025-0282, CVE-2025-0283) using reconnaissance, privilege escalation, and malware deployment (aligned with MITRE techniques like Initial Access, Privilege Escalation, and Lateral Movement), resulting in compromised internal systems, exfiltration, and potential network-wide damage; implementing AccuKnox’s Zero Trust security with eBPF-based kernel enforcement, micro-segmentation, and behavioral analysis ensures secure-by-design protection against these threats in both public and private clouds, validated by rigorous red-teaming scenarios such as:-

1. Credential Harvesting and Privilege Escalation: Test detection of stolen credentials and privilege abuse.
2. Lateral Movement Simulation: Evaluate defenses against attackers moving across the network.
3. Insider Threat Simulation: Validate controls against malicious actions by legitimate users.

Supply Chain Attack Injection: Assess protection against malicious updates or dependencies.

AccuKnox’s Approach to Zero Trust Security

AccuKnox’s Cloud Workload Protection Platform (CWPP) seamlessly integrates Zero Trust principles into cloud security. By incorporating advanced security tools like eBPF (extended Berkeley Packet Filter) and kernel-level enforcement, AccuKnox ensures that cloud environments are protected against both known and emerging threats in real-time.

Key features of AccuKnox’s Zero Trust-based security solution include:

• Kernel-Level Enforcement: AccuKnox uses eBPF to provide real-time policy enforcement, ensuring that any abnormal or unauthorized activity is detected and mitigated before it can cause harm.
• Micro-Segmentation and Identity-Based Access: The platform applies Zero Trust principles to network security, enforcing application-aware micro-segmentation and identity-based segmentation. This limits the movement of threats within cloud environments.

Behavioral Analysis and Machine Learning: AccuKnox employs machine learning algorithms to analyze workload behavior and baseline normal patterns. This allows for more accurate detection of anomalies, reducing false positives and ensuring that real threats are identified.

When adopting a more granular network security strategy, visibility and control are critical. Traditional security measures often fail to detect threats that originate within the cloud or from compromised workloads. With granular segmentation, organizations can monitor network traffic with pinpoint accuracy, allowing them to detect suspicious activity before it escalates. Benefits include

1. Enhanced Visibility: Gain insight into how data flows between workloads, making it easier to identify anomalies and potential threats.
2. Reduced Lateral Movement: By isolating workloads and implementing access controls, attackers are unable to move freely within the network, reducing the impact of any security breach.

Streamlined Security Management: Centralized policy management simplifies rule updates and adjustments, ensuring that security policies remain aligned with evolving cloud environments.

Takeaway

The rise in targeted exploitation campaigns exploiting vulnerabilities like CVE-2025-0282 underscores the need for organizations to prioritize proactive security measures. Enterprises can no longer rely solely on traditional defenses; modern strategies, including Zero Trust architectures and robust incident response frameworks, are essential for mitigating the blast radius of sophisticated attacks.

The evolving threat landscape demands that organizations invest in advanced threat intelligence, continuous monitoring, and automated remediation. Solutions such as micro-segmentation, runtime security, and policy enforcement tools not only reduce attack surfaces but also limit the ability of adversaries to escalate and move laterally within networks.

AccuKnox Zero Trust CNAPP (Cloud Native Application Protection Platform) delivers Zero Trust security by design.