A critical vulnerability in Ivanti Connect Secure, tracked as CVE-2025-0282, has been actively exploited in the wild, leading to significant security concerns for organizations using the affected products. The flaw, which has a CVSS score of 9, is a stack-based buffer overflow that allows remote unauthenticated attackers to execute arbitrary code. This vulnerability affects Ivanti Connect Secure versions prior to 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA gateways before 22.7R2.3.
The exploitation of CVE-2025-0282 was detected before its public disclosure, marking it as a zero-day vulnerability. It has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring its severity and the urgency for organizations to patch affected systems. The vulnerability's Exploit Prediction Scoring System (EPSS) score is notably high at 0.941, indicating a significant likelihood of exploitation.
Attackers have leveraged this flaw to deploy ransomware, with groups such as 0apt, Akira, RansomHub, and Sinobi identified as utilizing the vulnerability in their campaigns. The exploitation has been particularly prevalent in Japan, where the DslogdRAT malware has been distributed via this zero-day.
Technical analysis reveals that the vulnerability stems from improper handling of input data, leading to a buffer overflow condition. This allows attackers to inject and execute malicious code remotely, potentially gaining full control over the affected systems. The availability of a proof-of-concept (PoC) exploit, with at least 11 known instances, further exacerbates the risk, providing attackers with a ready-made tool to exploit vulnerable systems.
The scale of the threat is significant, with over 33,000 instances of Ivanti Connect Secure reportedly exposed to the internet, making them potential targets for exploitation. Organizations using these products are advised to upgrade to the latest versions immediately to mitigate the risk. Ivanti has released patches addressing the vulnerability, and it is crucial for administrators to apply these updates without delay.
Security experts recommend that organizations also review their network configurations and implement additional security measures, such as network segmentation and intrusion detection systems, to further protect against potential exploitation. Monitoring for unusual activity and ensuring robust backup and recovery processes are in place can also help mitigate the impact of a successful attack.
Given the critical nature of CVE-2025-0282 and its active exploitation by ransomware groups, organizations should prioritize patching and take immediate action to secure their systems. The inclusion of this vulnerability in the KEV list and its exploitation in high-profile attacks highlight the ongoing threat posed by unpatched security flaws in widely used enterprise software.
CSURFACE