CVE-2025-0282: Ivanti Connect Secure Unauthenticated RCE
A critical stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways allows unauthenticated remote attackers to execute arbitrary code. Actively exploited by state-sponsored threat actors before patch availability. CVSS score: 9.0 CRITICAL.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-0282 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-121: Stack-based Buffer Overflow |
| Published | January 8, 2025 |
| Exploitation | Active — CISA KEV listed |
What Is CVE-2025-0282?
CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure (formerly Pulse Secure VPN), Ivanti Policy Secure, and Ivanti Neurons for ZTA Gateways. The vulnerability exists in the SSL VPN gateway component and can be triggered by an unauthenticated attacker over the network.
The flaw was discovered by Mandiant researchers who identified active exploitation by a Chinese state-sponsored threat group (tracked as UNC5337) deploying the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL implants for persistent access.
🚨 Actively Exploited
CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog on January 8, 2025, with a mandatory remediation deadline. Over 3,000 internet-facing Ivanti gateways were compromised before patches were widely applied. Post-exploitation activity included credential harvesting, lateral movement, and deployment of persistent rootkits.
Affected Systems
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Ivanti Connect Secure | 22.7R2 through 22.7R2.4 | 22.7R2.5 |
| Ivanti Policy Secure | 22.7R1 through 22.7R1.2 | 22.7R1.3 (Jan 21) |
| Ivanti Neurons ZTA | 22.7R2 through 22.7R2.3 | 22.7R2.5 |
Technical Impact
Successful exploitation of CVE-2025-0282 grants an unauthenticated attacker complete control over the VPN gateway appliance. Because these devices sit at the network perimeter and handle all remote access traffic, the blast radius is exceptionally large:
- Full system compromise: Root-level code execution on the gateway appliance
- Credential interception: All VPN authentication credentials passing through the device
- Network pivot: Direct access to internal corporate networks bypassing perimeter controls
- Persistent backdoor: Attackers deployed firmware-level implants surviving factory resets
- Lateral movement: Gateway's trusted network position enables internal recon and attacks
How the Vulnerability Works
The buffer overflow occurs in the IFT (Ivanti Fieldwork Terminal) service that handles initial SSL/TLS negotiation. An attacker sends a specially crafted packet during the handshake phase — before any authentication occurs — with a malformed length field that causes the service to copy more data into a fixed-size stack buffer than it can hold.
# Simplified representation of the vulnerable code path
void handle_ift_request(char *data, size_t len) {
char buf[512]; // Fixed-size stack buffer
size_t claimed_len = get_claimed_length(data); // Attacker-controlled
memcpy(buf, data, claimed_len); // No bounds check — overflow here
process_ift(buf);
}
The overflow overwrites the saved return address on the stack. With ASLR partially effective on the appliance firmware, attackers used information disclosure from companion vulnerability CVE-2025-0283 to defeat randomization and achieve reliable exploitation.
Detection
Log Analysis
Look for these indicators in Ivanti Connect Secure logs:
# Suspicious IFT service crashes (pre-exploitation) grep "ift" /var/log/messages | grep -i "crash\|segfault\|core dump" # Unexpected outbound connections from gateway grep "CONNECT\|tunnel" /var/log/esap.log | grep -v "known-good-ips" # SPAWNSNAIL SSH backdoor on non-standard port netstat -tlnp | grep -v ":22 \|:443 \|:80 "
Network Indicators
- Anomalous TLS handshake failures followed by successful connections
- Outbound connections to unusual IP ranges from the VPN gateway
- New SSH keys added to
/home/user/.ssh/authorized_keys - Modified files in
/home/user/or/tmp/directories
Ivanti Integrity Checker Tool (ICT)
Ivanti released an Integrity Checker Tool specifically for this incident. Run the external ICT against all gateways — the internal ICT was compromised by the SPAWNANT installer in some incidents.
Mitigation
- Patch immediately: Upgrade to Connect Secure 22.7R2.5 or later. This is a mandatory action with no viable workaround.
- Factory reset before patching: Due to firmware-level persistence, Ivanti recommends performing a factory reset before applying patches on potentially compromised devices.
- Rotate all credentials: Any credential that passed through the VPN gateway must be considered compromised. Rotate VPN passwords, certificates, and any credentials authenticated through the gateway.
- Review gateway logs: Audit access logs for the 90 days prior to patching for signs of unauthorized access.
- Implement network segmentation: Restrict VPN gateway outbound connectivity to only necessary destinations.
- Deploy EDR on gateway: Where supported, deploy endpoint detection on gateway appliances.
💡 If Policy Secure or ZTA are affected: Ivanti released patches for Policy Secure and ZTA on January 21, 2025. Do not expose Policy Secure to the internet — it is not designed for external access and should be placed behind a firewall.
KENSAI Detection Capability
KENSAI's automated security assessment platform detects CVE-2025-0282 exposure through multiple detection layers:
- Version fingerprinting: KENSAI identifies Ivanti Connect Secure banners and version strings, flagging unpatched instances against the CVE-2025-0282 version range
- Safe exploitation probe: Non-destructive handshake anomaly detection confirms vulnerability without triggering the overflow
- Exposure assessment: Identifies internet-facing Ivanti gateways in your asset inventory
- Post-exploitation indicators: Network traffic analysis detects SPAWN malware C2 communication patterns
- Continuous monitoring: Alerts within minutes of a new unpatched gateway appearing in your external attack surface
Is Your Ivanti Infrastructure Exposed?
KENSAI scans your external attack surface for CVE-2025-0282 and 50,000+ other vulnerabilities. Get a full inventory of exposed VPN gateways and remote access infrastructure in minutes.
Start Free Scan →