Critical CVE-2025-0282 January 2026 · 8 min read

CVE-2025-0282: Ivanti Connect Secure Unauthenticated RCE

A critical stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways allows unauthenticated remote attackers to execute arbitrary code. Actively exploited by state-sponsored threat actors before patch availability. CVSS score: 9.0 CRITICAL.


9.0
CRITICAL
AttributeValue
CVE IDCVE-2025-0282
CVSS VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWECWE-121: Stack-based Buffer Overflow
PublishedJanuary 8, 2025
ExploitationActive — CISA KEV listed

What Is CVE-2025-0282?

CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure (formerly Pulse Secure VPN), Ivanti Policy Secure, and Ivanti Neurons for ZTA Gateways. The vulnerability exists in the SSL VPN gateway component and can be triggered by an unauthenticated attacker over the network.

The flaw was discovered by Mandiant researchers who identified active exploitation by a Chinese state-sponsored threat group (tracked as UNC5337) deploying the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL implants for persistent access.

🚨 Actively Exploited

CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog on January 8, 2025, with a mandatory remediation deadline. Over 3,000 internet-facing Ivanti gateways were compromised before patches were widely applied. Post-exploitation activity included credential harvesting, lateral movement, and deployment of persistent rootkits.

Affected Systems

ProductAffected VersionsFixed Version
Ivanti Connect Secure22.7R2 through 22.7R2.422.7R2.5
Ivanti Policy Secure22.7R1 through 22.7R1.222.7R1.3 (Jan 21)
Ivanti Neurons ZTA22.7R2 through 22.7R2.322.7R2.5

Technical Impact

Successful exploitation of CVE-2025-0282 grants an unauthenticated attacker complete control over the VPN gateway appliance. Because these devices sit at the network perimeter and handle all remote access traffic, the blast radius is exceptionally large:

How the Vulnerability Works

The buffer overflow occurs in the IFT (Ivanti Fieldwork Terminal) service that handles initial SSL/TLS negotiation. An attacker sends a specially crafted packet during the handshake phase — before any authentication occurs — with a malformed length field that causes the service to copy more data into a fixed-size stack buffer than it can hold.

# Simplified representation of the vulnerable code path
void handle_ift_request(char *data, size_t len) {
    char buf[512];          // Fixed-size stack buffer
    size_t claimed_len = get_claimed_length(data);  // Attacker-controlled
    memcpy(buf, data, claimed_len);  // No bounds check — overflow here
    process_ift(buf);
}

The overflow overwrites the saved return address on the stack. With ASLR partially effective on the appliance firmware, attackers used information disclosure from companion vulnerability CVE-2025-0283 to defeat randomization and achieve reliable exploitation.

Detection

Log Analysis

Look for these indicators in Ivanti Connect Secure logs:

# Suspicious IFT service crashes (pre-exploitation)
grep "ift" /var/log/messages | grep -i "crash\|segfault\|core dump"

# Unexpected outbound connections from gateway
grep "CONNECT\|tunnel" /var/log/esap.log | grep -v "known-good-ips"

# SPAWNSNAIL SSH backdoor on non-standard port
netstat -tlnp | grep -v ":22 \|:443 \|:80 "

Network Indicators

Ivanti Integrity Checker Tool (ICT)

Ivanti released an Integrity Checker Tool specifically for this incident. Run the external ICT against all gateways — the internal ICT was compromised by the SPAWNANT installer in some incidents.

Mitigation

  1. Patch immediately: Upgrade to Connect Secure 22.7R2.5 or later. This is a mandatory action with no viable workaround.
  2. Factory reset before patching: Due to firmware-level persistence, Ivanti recommends performing a factory reset before applying patches on potentially compromised devices.
  3. Rotate all credentials: Any credential that passed through the VPN gateway must be considered compromised. Rotate VPN passwords, certificates, and any credentials authenticated through the gateway.
  4. Review gateway logs: Audit access logs for the 90 days prior to patching for signs of unauthorized access.
  5. Implement network segmentation: Restrict VPN gateway outbound connectivity to only necessary destinations.
  6. Deploy EDR on gateway: Where supported, deploy endpoint detection on gateway appliances.

💡 If Policy Secure or ZTA are affected: Ivanti released patches for Policy Secure and ZTA on January 21, 2025. Do not expose Policy Secure to the internet — it is not designed for external access and should be placed behind a firewall.

KENSAI Detection Capability

KENSAI's automated security assessment platform detects CVE-2025-0282 exposure through multiple detection layers:

Is Your Ivanti Infrastructure Exposed?

KENSAI scans your external attack surface for CVE-2025-0282 and 50,000+ other vulnerabilities. Get a full inventory of exposed VPN gateways and remote access infrastructure in minutes.

Start Free Scan →

Related Articles

SentinelOne ने 8-चरण घुसपैठ किल चेन का मानचित्रण किया, SANS रिपोर्ट AI साइबर कार EU Council Adds Nudification Ban to AI Act Infinity Stealer colpisce macOS tramite ClickFix, Red Menshen impianta BPFDoor n