Are You Protected Against the Actively Exploited Ivanti Flaw CVE-2025-0282?

In mid-December 2024, Ivanti raised the alarm over a critical security flaw impacting its Connect Secure, Policy Secure, and ZTA Gateways that came under active exploitation. This flaw, CVE-2025-0282, has a CVSS score of 9.0 and is a stack-based buffer overflow vulnerability that affects multiple versions of Ivanti’s software, including Connect Secure before version 22.7R2.5, Policy Secure before version 22.7R1.2, and Neurons for ZTA Gateways before version 22.7R2.3. Ivanti has warned that successful exploitation of this flaw could lead to unauthenticated remote code execution, posing a severe threat to affected systems. Ivanti’s advisory notes that threat actor activity was detected by the Integrity Checker Tool on the same day it occurred, allowing the company to respond quickly and develop a fix.

Ivanti also patched another high-severity flaw, CVE-2025-0283, which has a CVSS score of 7.0. This vulnerability allows locally authenticated attackers to escalate their privileges. Although Ivanti confirmed a limited number of customers had their appliances exploited due to CVE-2025-0282, there is no evidence that CVE-2025-0283 has been weaponized. Google-owned Mandiant, detailing its investigation into these attacks, observed the deployment of the SPAWN malware ecosystem across several compromised devices from multiple organizations. The use of SPAWN is attributed to a China-nexus threat actor, UNC5337, possibly connected to UNC5221. The attacks also resulted in the installation of previously undocumented malware families dubbed DRYHOOK and PHASEJAM, which have yet to be linked to any known threat actor or group.

Conduct Internal Network Exploration Using Built-in Utilities Like nmap and dig

One of the initial steps threat actors have taken in exploiting CVE-2025-0282 involves conducting internal network reconnaissance using built-in tools like nmap and dig. By leveraging these utilities, attackers can map out the network’s structure, identify active devices, scan for open ports, and determine the landscape of potential targets within the compromised environment. Tools like nmap allow attackers to discover services running on each host, giving them the information they need to plan further infiltration and exploitation activities.

Once attackers gain access to an internal network, they often focus on high-value targets such as domain controllers, databases, and file servers. Using tools like nmap and dig enables them to methodically explore the network while remaining under the radar, avoiding detection by security mechanisms. It’s crucial for organizations to monitor for unusual network scanning activity and to harden key systems against unauthorized access to limit the potential damage from such reconnaissance actions.

Utilize the LDAP Service Account to Execute LDAP Queries and Navigate Laterally Within the Network, Including Active Directory Servers, via SMB or RDP

After mapping out the network, attackers commonly leverage the LDAP service account to execute LDAP queries and move laterally within the network. This tactic allows them to access and manipulate directory information, making it easier to navigate to critical resources such as Active Directory servers. By using LDAP queries, attackers can gather details about users, groups, and permissions, which are invaluable for planning subsequent steps in the attack.

Navigating laterally within the network often involves using protocols like SMB (Server Message Block) or RDP (Remote Desktop Protocol). Attackers use these methods to connect to and control other devices within the compromised network. Lateral movement techniques are crucial for accessing sensitive data and gaining control over critical systems. Organizations should ensure that their security controls can detect and respond to anomalous LDAP queries and SMB or RDP activities to mitigate the risk of lateral movement within their networks.

Extract the Application Cache Database Containing Details Related to VPN Sessions, Session Cookies, API Keys, Certificates, and Credential Material

Another significant step in exploiting CVE-2025-0282 involves extracting the application cache database, which contains crucial information such as VPN session details, session cookies, API keys, certificates, and credential material. This data is invaluable for attackers, as it can be used to impersonate legitimate users, gain unauthorized access to applications, and compromise additional systems within the network.

The application cache database holds sensitive information that, if accessed by attackers, can lead to the escalation of their privileges and further exploitation of the network. By obtaining session cookies and API keys, attackers can bypass authentication mechanisms and interact with applications as authorized users. Certificates and credential material can be used to decrypt communications and gain access to encrypted data, further compromising the security of the network. It’s vital for organizations to protect their application cache databases and monitor for any unauthorized access attempts.

Implement a Python Script Named DRYHOOK to Collect Credentials

In mid-December 2024, Ivanti warned of a severe security vulnerability affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways, identified as CVE-2025-0282. This flaw, with a CVSS score of 9.0, is a stack-based buffer overflow issue impacting various versions of Ivanti’s software: Connect Secure versions prior to 22.7R2.5, Policy Secure versions before 22.7R1.2, and Neurons for ZTA Gateways versions before 22.7R2.3. Exploiting this flaw can lead to unauthenticated remote code execution, posing a significant threat to the security of affected systems. Ivanti caught threat actor activity with the Integrity Checker Tool the same day, enabling a prompt response and fix.

Additionally, Ivanti rectified another high-risk flaw, CVE-2025-0283, with a CVSS score of 7.0, which lets locally authenticated attackers escalate privileges. Although few customers’ appliances were compromised due to CVE-2025-0282, there’s no evidence that CVE-2025-0283 has been exploited. Google-owned Mandiant’s investigation into these incidents noted the presence of the SPAWN malware ecosystem across several affected devices from different organizations, suggesting involvement of a China-nexus threat actor, UNC5337, potentially linked to UNC5221. The attacks also installed two previously undocumented malware families, DRYHOOK and PHASEJAM, which remain unattributed to any known groups.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable