In early January 2025, Nominet, the UK domain registry, detected an unusual cyber intrusion linked to a zero-day vulnerability in Ivanti’s VPN software. This breach, publicly identified as CVE-2025-0282, represents the first known exploitation of this critical Ivanti Connect Secure flaw. The vulnerability, found to be a stack-based buffer overflow, allows unauthenticated remote code execution, directly impacting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. Nominet, which manages over 11 million .uk domains and operates the UK’s Protective Domain Name Service for the National Cyber Security Centre, discovered the suspicious activity one week before making it known to customers. Despite the breach, comprehensive investigations revealed no evidence of data theft, leakage, or the presence of backdoors within Nominet’s network. In response to this breach, Nominet has implemented several countermeasures, including limiting VPN access and notifying relevant authorities, such as the NCSC, while continuing to investigate with the aid of external cybersecurity experts.
Insights into the Exploitation
The zero-day flaw exploitation has been attributed to suspected Chinese state-sponsored hackers, who reportedly commenced their attacks in mid-December 2024. This update came from Mandiant, which identified the attackers as part of the UNC5337 group. There are substantial ties between this group and previous assaults on Ivanti products by another group, UNC5221, in January 2023. This ongoing campaign sees the utilization of both known and novel malware strains, including Spawn, Dryhook, and Phasejam.
With Ivanti releasing patches for Connect Secure on January 8, 2025, the public disclosure of the zero-day coincided with this effort, although customers using Policy Secure and Neurons for ZTA Gateways would not receive fixes until January 21. This delay might expose some users to potential risks. According to Censys, there are 33,542 Ivanti Connect Secure instances currently exposed globally, with primary concentrations in the United States and Japan. As this situation continues to unfold, cybersecurity experts strongly advise organizations using Ivanti products to promptly apply available patches, conduct thorough investigations for possible compromises, and remain vigilant against further exploitation attempts.
Nominet’s Response and Mitigation Efforts
Upon detecting the breach, Nominet swiftly restricted VPN access and alerted all relevant authorities to mitigate further damage. High-priority notifications were sent to customers, alongside deploying both internal and external cybersecurity resources to understand the full extent of the security lapse and prevent future incidents. The thorough inspection by Nominet and its partners so far has shown no evidence of data theft or leakage. Moreover, the company is actively working on enhancing its security protocols and ensuring that such an incident does not recur.
In light of this breach, Nominet continues to cooperate closely with the National Cyber Security Centre and other cybersecurity experts to address any vulnerabilities within its infrastructure. Given that Ivanti has delayed the release of patches for certain systems until January 21, it is imperative for companies to take additional measures to safeguard their networks. Experts recommend organizations to re-evaluate their security protocols and consider alternative protections during this patch gap. The incident underscores the critical importance of prompt vulnerability management and the need for continuous vigilance to fend off cyber threats.
The Importance of Vigorously Addressing Vulnerabilities
In early January 2025, Nominet, the UK domain registry, detected a cyber intrusion associated with a zero-day vulnerability in Ivanti’s VPN software. Known as CVE-2025-0282, this breach marks the first exploitation of a serious Ivanti Connect Secure flaw. The vulnerability, identified as a stack-based buffer overflow, permits unauthenticated remote code execution, which affects Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. Nominet, which oversees over 11 million .uk domains and runs the UK’s Protective Domain Name Service for the National Cyber Security Centre (NCSC), noticed the unusual activity a week prior to alerting its customers. Thorough investigations showed no signs of data theft, leakage, or backdoors within Nominet’s network. In reaction to this breach, Nominet implemented several protective measures, including restricting VPN access and notifying relevant authorities like the NCSC. They continue to investigate the incident with external cybersecurity experts.