Ivanti discloses critical VPN vulnerability being actively targeted by hackers

Hackers are actively targeting deployments of certain Ivanti Inc. software products by exploiting a newly discovered security vulnerability.

On Wednesday, the company disclosed the exploit, which is tracked as CVE-2025-0282.

Ivanti is a major provider of infrastructure management and cybersecurity software with more than 40,000 customers. Those clients include several U.S. government agencies, according to the company. CVE-2025-0283 affects three Ivanti products: Secure Connect, Neurons for ZTA Gateways, and Policy Secure.

Secure Connect is a virtual private network or VPN tool for businesses. This allows workers to log into their company’s systems remotely via an encrypted connection. Ivanti says Connect Secure is one of the most widely used products in its category.

Neurons for ZTA, the second tool affected by the vulnerability, is also designed to allow workers to securely log into business applications. It can be used in conjunction with Secure Connect. The third product affected, Policy Secure, allows administrators to centrally manage employee access to the corporate network.

Hackers began exploiting the vulnerability in mid-December, according to Google LLC’s Mandiant cybersecurity division. blog post. Researchers analyzed several Secure Connect devices hacked by hackers. On one of the devices they found malware associated with a hacking group linked to China and tracked as UNC5337.

“Mandiant suspects with moderate confidence that UNC5337 is part of UNC5221,” Google researchers wrote. “UNC5221 is a suspected Chinese spy who exploited the CVE-2023-46805 and CVE-2024-21887 vulnerabilities that affected Ivanti Connect Secure VPN and Ivanti Policy Security devices back in December 2023.”

The new vulnerability disclosed this week was rated at a severity of 9 out of a maximum possible 10. It bypasses the authentication mechanism of affected Ivanti products, meaning hackers do not need to obtain login credentials to gain access. This makes it much easier to carry out cyber attacks.

According to Ivanti, CVE-2025-0282 is a so-called stack overflow vulnerability. Such exploits allow hackers to write more data to a system memory partition than it was designed to store. This causes data to overflow into adjacent memory sections, overwriting their contents with malicious code.

Mandiant researchers have determined that cyberattacks targeting CVE-2025-0282 typically occur in stages.

First, hackers log into a vulnerable Ivanti Connect device and disable the SELinux feature of the underlying Linux server. It is a component of the Linux kernel that prevents programs from accessing sensitive operating system functions and data. After disabling SELinux, the malware blocks a second Linux component that sends system activity data to administrators.

After the initial phase of a cyber attack, hackers install malicious code on the target device. They then delete the system logs generated by the process and re-enable SELinux.

Ivanti has released a patch for Connect Secure that fixes CVE-2025-0282 and CVE-2025-0283, the second vulnerability discovered together. There are few technical details available about the latter flaw. The company plans to update Neurons for ZTA Gateways and Policy Secure on January 21.

The discovery of the vulnerabilities comes less than a year after researchers discovered another set of zero-day exploits in Connect Secure and Policy Secure. His rated that hackers exploited these flaws to compromise more than 2,000 client systems.

Image: Ivanti