A serious security flaw has been identified in Ivanti Connect Secure, designated as CVE-2025-0282. This vulnerability allows remote, unauthenticated attackers to execute arbitrary code.
As of January 8, 2025, Ivanti has confirmed this stack-based buffer overflow issue affecting versions of Ivanti Connect Secure prior to 22.7R2.5.
The Common Vulnerability Scoring System (CVSS) rates this vulnerability at 9.0, reflecting its critical severity. Additionally, a related local privilege escalation vulnerability, CVE-2025-0283, was also patched in the same advisory.
However, Ivanti has stated that there is no evidence of exploitation for the latter vulnerability. While both vulnerabilities are concerning, CVE-2025-0282 currently poses a significantly higher risk as advanced threat actors have already exploited it in the wild.
Security researchers have unveiled a proof-of-concept (PoC) exploit for a critical remote code execution vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The analysts at AttackerKB noted that remote unauthenticated attackers can exploit this flaw to achieve remote code execution on vulnerable systems, and it makes this vulnerability particularly concerning.
Per a security analysis released by watchTowr on January 10, 2025, CVE-2025-0282 is a stack-based buffer overflow vulnerability within the IF-T/TLS protocol handler of Ivanti’s HTTPS web server (which listens on default TCP port 443).
This flaw allows attackers to achieve remote code execution (RCE) under the privileges of a low-privileged “nr” user, which can still lead to significant compromise of the affected system.
This vulnerability has been actively exploited in the wild since December 2024, according to a report by Mandiant. Exploit success relies on bypassing Address Space Layout Randomization (ASLR), a memory protection mechanism designed to increase difficulty for attackers.
However, researchers found that the ASLR in Connect Secure could be brute-forced with an average of 30 to 90 minutes of repeated attempts due to its limited 9-bit entropy.
A proof-of-concept (PoC) exploit for CVE-2025-0282 has been released to aid detection and remediation, showing how attackers can reliably perform RCE by brute-forcing the library’s memory address. This PoC demonstrates the vulnerability’s high reliability despite ASLR protections.
The released PoC exploit, CVE-2025-0282.rb, demonstrates how attackers can target vulnerable Ivanti Connect Secure appliances. Using this exploit against a vulnerable system enables attackers to write files or execute arbitrary commands.
An example execution of the script reveals how attackers can identify vulnerable versions and repeatedly “guess” ASLR values to brute-force their way to RCE.
bashC:\Users\sfewer\Desktop\CVE-2025-0282>ruby CVE-2025-0282.rb -t 192.168.86.111 -p 443
[+] Targeting 192.168.86.111:443
[+] Detected version 22.7.2.3597
[2025-01-16 14:39:56 +0000] Starting...
The PoC highlights that while exploitation can take tens of minutes, the success rate increases with repeated attempts since the process automatically restarts upon failure, allowing attackers multiple opportunities to brute-force the address.
The release of a PoC exploit significantly increases the risk of active exploitation in the wild.
Organizations using affected Ivanti products are strongly advised to apply the available patches immediately or implement recommended mitigations if patching is not immediately possible.
Ivanti has released patches to address both vulnerabilities. Users of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways are urged to upgrade to 22.7R2.5 or higher immediately.
Security defenders should monitor systems for signs of compromise, particularly for unusual activity on port 443 or repeated application crashes indicative of exploitation attempts.
Organizations may also consider deploying additional mitigations, such as network segmentation and detailed logging, to limit the blast radius of potential attacks.
Failure to patch leaves systems vulnerable to active exploitation, potentially compromising sensitive data commonly transmitted through enterprise VPNs.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar