Are You Protected Against the Actively Exploited Ivanti Flaw CVE-2025-0282?

In mid-December 2024, Ivanti raised the alarm over a critical security flaw impacting its Connect Secure, Policy Secure, and ZTA Gateways that came under active exploitation. This flaw, CVE-2025-0282, has a CVSS score of 9.0 and is a stack-based buffer overflow vulnerability that affects multiple versions of Ivanti’s software, including Connect Secure before version 22.7R2.5, Policy Secure before version 22.7R1.2, and Neurons for ZTA Gateways before version 22.7R2.3. Ivanti has warned that successful exploitation of this flaw could lead to unauthenticated remote code execution, posing a severe threat to affected systems. Ivanti’s advisory notes that threat actor activity was detected by the Integrity Checker Tool on the same day it occurred, allowing the company to respond quickly and develop a fix.

Ivanti also patched another high-severity flaw, CVE-2025-0283, which has a CVSS score of 7.0. This vulnerability allows locally authenticated attackers to escalate their privileges. Although Ivanti confirmed a limited number of customers had their appliances exploited due to CVE-2025-0282, there is no evidence that CVE-2025-0283 has been weaponized. Google-owned Mandiant, detailing its investigation into these attacks, observed the deployment of the SPAWN malware ecosystem across several compromised devices from multiple organizations. The use of SPAWN is attributed to a China-nexus threat actor, UNC5337, possibly connected to UNC5221. The attacks also resulted in the installation of previously undocumented malware families dubbed DRYHOOK and PHASEJAM, which have yet to be linked to any known threat actor or group.

Conduct Internal Network Exploration Using Built-in Utilities Like nmap and dig

One of the initial steps threat actors have taken in exploiting CVE-2025-0282 involves conducting internal network reconnaissance using built-in tools like nmap and dig. By leveraging these utilities, attackers can map out the network’s structure, identify active devices, scan for open ports, and determine the landscape of potential targets within the compromised environment. Tools like nmap allow attackers to discover services running on each host, giving them the information they need to plan further infiltration and exploitation activities.

Once attackers gain access to an internal network, they often focus on high-value targets such as domain controllers, databases, and file servers. Using tools like nmap and dig enables them to methodically explore the network while remaining under the radar, avoiding detection by security mechanisms. It’s crucial for organizations to monitor for unusual network scanning activity and to harden key systems against unauthorized access to limit the potential damage from such reconnaissance actions.

Utilize the LDAP Service Account to Execute LDAP Queries and Navigate Laterally Within the Network, Including Active Directory Servers, via SMB or RDP

After mapping out the network, attackers commonly leverage the LDAP service account to execute LDAP queries and move laterally within the network. This tactic allows them to access and manipulate directory information, making it easier to navigate to critical resources such as Active Directory servers. By using LDAP queries, attackers can gather details about users, groups, and permissions, which are invaluable for planning subsequent steps in the attack.

Navigating laterally within the network often involves using protocols like SMB (Server Message Block) or RDP (Remote Desktop Protocol). Attackers use these methods to connect to and control other devices within the compromised network. Lateral movement techniques are crucial for accessing sensitive data and gaining control over critical systems. Organizations should ensure that their security controls can detect and respond to anomalous LDAP queries and SMB or RDP activities to mitigate the risk of lateral movement within their networks.

Extract the Application Cache Database Containing Details Related to VPN Sessions, Session Cookies, API Keys, Certificates, and Credential Material

Another significant step in exploiting CVE-2025-0282 involves extracting the application cache database, which contains crucial information such as VPN session details, session cookies, API keys, certificates, and credential material. This data is invaluable for attackers, as it can be used to impersonate legitimate users, gain unauthorized access to applications, and compromise additional systems within the network.

The application cache database holds sensitive information that, if accessed by attackers, can lead to the escalation of their privileges and further exploitation of the network. By obtaining session cookies and API keys, attackers can bypass authentication mechanisms and interact with applications as authorized users. Certificates and credential material can be used to decrypt communications and gain access to encrypted data, further compromising the security of the network. It’s vital for organizations to protect their application cache databases and monitor for any unauthorized access attempts.

Implement a Python Script Named DRYHOOK to Collect Credentials

In mid-December 2024, Ivanti warned of a severe security vulnerability affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways, identified as CVE-2025-0282. This flaw, with a CVSS score of 9.0, is a stack-based buffer overflow issue impacting various versions of Ivanti’s software: Connect Secure versions prior to 22.7R2.5, Policy Secure versions before 22.7R1.2, and Neurons for ZTA Gateways versions before 22.7R2.3. Exploiting this flaw can lead to unauthenticated remote code execution, posing a significant threat to the security of affected systems. Ivanti caught threat actor activity with the Integrity Checker Tool the same day, enabling a prompt response and fix.

Additionally, Ivanti rectified another high-risk flaw, CVE-2025-0283, with a CVSS score of 7.0, which lets locally authenticated attackers escalate privileges. Although few customers’ appliances were compromised due to CVE-2025-0282, there’s no evidence that CVE-2025-0283 has been exploited. Google-owned Mandiant’s investigation into these incidents noted the presence of the SPAWN malware ecosystem across several affected devices from different organizations, suggesting involvement of a China-nexus threat actor, UNC5337, potentially linked to UNC5221. The attacks also installed two previously undocumented malware families, DRYHOOK and PHASEJAM, which remain unattributed to any known groups.

Explore more

How Can MRP and MPS Optimize Your Supply Chain in D365?

Introduction Imagine a manufacturing operation where every order is fulfilled on time, inventory levels are perfectly balanced, and production schedules run like clockwork, all without excessive costs or last-minute scrambles. This scenario might seem like a distant dream for many businesses grappling with supply chain complexities. Yet, with the right tools in Microsoft Dynamics 365 Business Central, such efficiency is

Streamlining ERP Reporting in Dynamics 365 BC with FYIsoft

In the fast-paced realm of enterprise resource planning (ERP), financial reporting within Microsoft Dynamics 365 Business Central (BC) has reached a pivotal moment where innovation is no longer optional but essential. Finance professionals are grappling with intricate data sets spanning multiple business functions, often bogged down by outdated tools and cumbersome processes that fail to keep up with modern demands.

Top Digital Marketing Trends Shaping the Future of Brands

In an era where digital interactions dominate consumer behavior, brands face an unprecedented challenge: capturing attention in a crowded online space where billions of interactions occur daily. Imagine a scenario where a single misstep in strategy could mean losing relevance overnight, as competitors leverage cutting-edge tools to engage audiences in ways previously unimaginable. This reality underscores a critical need for

Microshifting Redefines the Traditional 9-to-5 Workday

Imagine a workday where logging in at 6 a.m. to tackle critical tasks, stepping away for a midday errand, and finishing a project after dinner feels not just possible, but encouraged. This isn’t a far-fetched dream; it’s the reality for a growing number of employees embracing a trend known as microshifting. With 65% of office workers craving more schedule flexibility

Boost Employee Engagement with Attention-Grabbing Tactics

Introduction to Employee Engagement Challenges and Solutions Imagine a workplace where half the team is disengaged, merely going through the motions, while productivity stagnates and innovative ideas remain unspoken. This scenario is all too common, with studies showing that a significant percentage of employees worldwide lack a genuine connection to their roles, directly impacting retention, creativity, and overall performance. Employee