On-Demand Webinar: Deep Session Inspection and rich metadata can change your security game.
Get a Demo

Vulnerabilities

CVE-2025-0282

CVE-2025-0282: Ivanti Connect Secure RCE — Exploited ZeroDay & Response Guide

Vulnerability Overview

CVE ID: CVE-2025-0282

CVE Title: Ivanti Connect Secure — Unauthenticated StackBased Buffer Overflow (RCE)

Severity: Critical

Exploit Status: Actively exploited in the wild (observed midDec 2024 onward); public proofofconcepts became available in January 2025.

Business Risk: Remote takeover of edge VPN/appliance devices without needing credentials — enables malware installation, persistent backdoors, credential harvesting, lateral movement, and data theft. This poses major operational disruption and elevated risk to downstream systems and services.

Summary

CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure (also impacting Policy Secure and Neurons for ZTA gateways at specific releases). A remotely delivered, unauthenticated request can overflow a fixedsize stack buffer and lead to arbitrary code execution. Attackers exploiting the flaw have chained the initial compromise into multistage intrusions (web shells, dropper scripts, and persistent components) that hide activity and enable further access into victim networks.

Urgent Actions Required

  • Patch immediately: Ivanti Connect Secure → 22.7R2.5; apply fixes for Policy Secure and Neurons for ZTA when available.
  • Run Ivanti ICT scans (internal and external) right away.
  • If compromise found, isolate the appliance from the network.
  • Factory reset or rebuild compromised devices, then install patched firmware.
  • Rotate credentials, keys, API tokens, and admin passwords.
  • Check for attacker activity: disabled SELinux, remounted drives, modified syslog, web shells in dana-na/auth/, SPAWN and DRYHOOK files.
  • Monitor for unusual outbound tunnels or LDAP/AD activity.

Which Systems Are Vulnerable to CVE-2025-0282?

Technical Overview

  • Vulnerability Type: Stack‑based buffer overflow allowing unauthenticated remote code execution
  • Affected Software/Versions:
    • Ivanti Connect Secure: 22.7R2 through 22.7R2.4 (fixed in 22.7R2.5)
    • Ivanti Policy Secure: 22.7R1 through 22.7R1.2 (vendor fix published per advisory)
    • Ivanti Neurons for ZTA gateways: 22.7R2 through 22.7R2.3 (fixed in later release; some cloud gateways autoupdated)
  • Attack Vector: Network — a remote actor can exploit the flaw without authenticating.
  • CVSS Score: 9.0
  • CVSS Vector: v3.1
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
  • Patch Availability: Yes, available
    • Ivanti Connect Secure (ICS): Fixed Version: 22.7R2.5[1]
    • Ivanti Policy Secure (IPS): Fixed Version: 22.7R1.3[2]
    • Ivanti Neurons for Zero Trust Access (ZTA): Fixed Version: 22.8R2[3]

How Does the CVE-2025-0282 Exploit Work?

The attack typically follows these steps:

How Does the CVE-2025-0282 Exploit Work

What Causes CVE-2025-0282?

Vulnerability Root Cause:

A boundschecking bug in the Ivanti web process allows a specially crafted clientCapabilities value to overflow a 256byte stack buffer. The code incorrectly uses strncpy with the source length rather than the destination size, producing an outofbounds write that can corrupt return addresses and vtable/this pointers. Exploiting this lets an unauthenticated remote attacker achieve code execution in the web process ( /home/bin/web ) on affected 22.7R2 builds. In observed incidents the overflow was chained to a setuid ELF stager and the PHASEJAM dropper to install Perl web shells and persistent backdoors.

How Can You Mitigate CVE-2025-0282?

If immediate patching is delayed or not possible:

  • Run Ivanti’s Integrity Checker Tool (ICT) — both internal and external scans.
  • Hunt the appliance and any connected systems for compromise using ICT plus other monitoring tools.
  • If hunting finds no compromise: consider a factory reset for highest confidence (physical appliances) or rebuild from a known clean image for cloud/VMs.
  • If evidence of compromise is found: isolate the appliance from the network and report to Ivanti and CISA.
  • Factory reset compromised appliances (or restore from a clean image), then install the patched firmware before returning to service.
  • Revoke and reissue exposed credentials, keys, API tokens, and certificates. Reset the admin enable password.
  • For compromised domain accounts: reset passwords twice, revoke Kerberos tickets, and revoke cloud/device tokens as applicable.
  • Audit privileged accounts and monitor authentication/identity services closely.
  • Hunt for the specific attacker activity shown in the reports (examples to look for): setenforce 0, iptables rules blocking syslog, mount -o remount,rw /, staged files under /tmp (e.g., /tmp/s, /tmp/svb), web shells in dana-na CGI files, and SPAWN/PHASEJAM/DRYHOOK artifacts.
  • Continue active monitoring after remediation; run ICT in conjunction with other security telemetry.

Which Assets and Systems Are at Risk?

Asset Types Affected:

  • Ivanti Connect Secure VPN appliances (vulnerable 22.7R2 → 22.7R2.4).
  • Ivanti Policy Secure appliances (vulnerable 22.7R1 → 22.7R1.2).
  • Ivanti Neurons for ZTA gateways (vulnerable 22.7R2 → 22.7R2.3).

Business-Critical Systems at Risk:

  • Remote access infrastructure (VPN sessions and gateways).
  • Identity services and directories (LDAP / AD) — attackers used appliance accounts to query LDAP.
  • Administrative interfaces on the appliance (web shells and modified helpers give remote command execution).
  • Session/store material (LMDB cache) — reported as archived and staged for exfiltration (session cookies, API keys, certs).
  • Downstream hosts reached via lateral movement (RDP/SMB) using harvested credentials.

Exposure Level:

  • High risk for internetfacing Connect Secure instances.
  • Researchers reported ~12,335 potentially vulnerable internetexposed Connect Secure instances (Jan 13, 2025).
  • Censys identified ~33,542 exposed Connect Secure instances (public internet scan).
  • Policy Secure is typically not intended to be internetfacing (lower exposure when configured correctly).
  • Neurons ZTA gateways are not exploitable in normal production if connected to a controller, but generated/leftunattached gateways can be at risk.

Will Patching CVE-2025-0282 Cause Downtime?

Patch application impact: Low to moderate. Updating Ivanti Connect Secure to 22.7R2.5 usually requires a brief maintenance window. Policy Secure and Neurons for ZTA may need longer downtime if factory reset is required after compromise.

How Can You Detect CVE20250282 Exploitation?

Exploitation Signatures:

  • HTTP requests for Host Checker / launcher artifacts, e.g. /dana-cached/hc/hc_launcher.* in sequence (version enumeration).
  • IFT/IFTTLS requests that include an unusually long clientCapabilities field (>>256 bytes).
  • Repeated requests originating from known VPS or Tor exit nodes to the above URLs.

MITRE ATT&CK Mapping:

  • T1190[8] — Exploit publicfacing application (initial RCE).
  • T1059[9] — Command and scripting interpreter (web shells / script droppers).
  • T1078[10] — Valid accounts (use of LDAP/service accounts for lateral movement).
  • T1573[11] / T1071[12] (app layer) — Use of tunneling/backdoors (SPAWNMOLE / C2 over app protocols).

Indicators of Compromise (IOCs/IOAs):

  • File paths / artifacts
    • /tmp/s, /tmp/svb, /tmp/.t, /tmp/.liblogblock.so
    • /home/webserver/htdocs/dana-na/jam/getComponent.cgi
    • /home/webserver/htdocs/dana-na/auth/restAuth.cgi
    • /home/bin/remotedebug (replaced/hooked)
    • /home/perl/DSUpgrade.pm (modified)
    • /home/etc/manifest/manifest (hash updates)
    • /root/lib/libupgrade.so, /root/home/lib/libsocks5.so, /root/home/lib/libsshd.so
    • /tmp/cmdmmap.kuwMW (DRYHOOK credential output)
  • Commands observed
    • setenforce 0
    • iptables -A OUTPUT -p (tcp|udp) --dport 514 -j DROP (and 6514)
    • mount -o remount,rw /
    • dmesg -C
    • sed -i '/segfault/d' debuglog
    • rm -rf /data/var/statedumps/* /data/var/cores/*
  • Network / IPs (reported by Unit42)
    • 185.219.141.95 (Nord VPN node seen)
    • 185.195.71.244 (Tor exit node seen)
    • 193.149.180.128 (C2)
    • 168.100.8.144 (C2)

Behavioral Indicators:

  • Sudden SELinux disablement and iptables rules blocking syslog ports.
  • Root filesystem remounted read/write followed by creation of files under /tmp.
  • New or modified CGI files under dana-na containing AccessAllow() or base64 blocks.
  • Manifest SHA256 entries updated to new values after file modifications.
  • Removal/shortening of debug logs and cleared kernel messages.
  • Unexpected outbound tunnels or persistent C2 connections from the appliance.
  • LDAP queries issued from the appliance using service account credentials.

Alerting Strategy:

  • Priority: Critical
  • Trigger alerts for:
    • Requests to /dana-cached/hc/hc_launcher.* from suspicious IPs or repeated versionenumeration requests.
    • HTTP/IFT requests containing clientCapabilities or equivalent with length > 256 bytes.
    • Execution of the exact commands listed above (setenforce 0, mount -o remount,rw /, iptables syslog drops).
    • Creation of any of the IOC file paths or modification timestamps on getComponent.cgi, restAuth.cgi, /home/perl/DSUpgrade.pm, or /home/etc/manifest/manifest.
    • Detection of the listed IPs initiating connections to the appliance.
    • New processes or binaries matching SPAWN/PHASEJAM/DRYHOOK file names or hashes.
    • Sudden disappearance or truncation of debug logs and state dump files.

Remediation & Response

Remediation Timeline:

Immediate:

  • Apply Ivanti fixes: update Connect Secure → 22.7R2.5 and apply vendor updates for Policy Secure / Neurons for ZTA as provided.
  • Run Ivanti ICT (internal and external) to check for signs of compromise.
  • If ICT or telemetry indicates compromise, isolate the appliance and report to Ivanti and CISA.

Short term (after detection)

  • If compromise is confirmed: factory reset the physical appliance or rebuild from a known-clean image for cloud/VM instances.
  • Install the patched firmware on the cleaned device before returning to service.
  • Revoke and reissue exposed credentials, API keys, certificates; reset admin enable password.

Recovery & validation

  • Run ICT again and continue monitoring with other security tooling to confirm the device is clean and behaving normally.
  • Audit privileged accounts and monitor authentication/identity services for anomalies.

Rollback Plan:

  • If the upgrade cannot be completed or causes problems, restore the appliance from a known-clean image or perform a factory reset and then reapply the vendor patch once issues are resolved.
  • If needed, open a support case with Ivanti for guidance (per vendor advisory).

Incident Response Considerations:

  • Isolate suspected appliances immediately to limit lateral movement.
  • Preserve forensic artifacts before reset: ICT outputs, debug/application logs (including debuglog and log.events.vc0), /home/etc/manifest/manifest, modified CGI files (e.g., getComponent.cgi, restAuth.cgi), /tmp staging files (e.g., /tmp/s, /tmp/svb, /tmp/.t), and any core/state dumps if present.
  • Hunt connected systems for post-exploit activity (LDAP queries, unusual RDP/SMB activity, tunneled connections).
  • Report confirmed compromises to Ivanti and to CISA as instructed in the mitigation guidance.
  • Credential response: revoke and reissue keys/certificates, reset admin and local account passwords; if domain accounts were compromised follow recommended domain steps (reset twice, revoke Kerberos tickets, revoke cloud/device tokens).
  • Post-remediation: only return the device to production after factory reset/rebuild, patched firmware installed, and ICT + telemetry show no compromise.

Compliance & Governance Notes

Standards Impacted:

  • Report confirmed compromises to Ivanti and CISA as instructed in vendor and CISA guidance.
  • Follow CISA’s mitigation instructions and any timelines in the KEV entry.

Audit Trail Requirement:

  • Save Integrity Checker Tool (ICT) outputs (internal and external) and retain them with timestamps.
  • Preserve relevant appliance logs and artifacts before any destructive remediation: debuglog, log.events.vc0, /home/etc/manifest/manifest, modified CGI files (e.g., getComponent.cgi, restAuth.cgi), and /tmp staging files (e.g., /tmp/s, /tmp/svb, /tmp/.t).
  • Record patch actions: date/time, engineer/operator, appliance serial/ID, prior version and new version, and ICT results pre/post upgrade.
  • Keep a change-management entry for any factory reset, rebuild, or firmware upgrade performed as part of remediation.

Policy Alignment:

  • Require regular ICT scanning (internal and external) for Connect Secure appliances and incorporate ICT results into vulnerability tracking.
  • Mandate forensic preservation steps in the IR plan: isolate device, export ICT results, collect debug/application logs and manifests before reset.
  • Add credential-recovery procedures to vulnerability response: revoke/reissue admin passwords, API keys, certificates, and follow recommended domain account steps if domain credentials were exposed.
  • Make factory reset + rebuild from known-clean image an accepted remediation path when ICT shows compromise.

Where Can I Find More Information on CVE-2025-0282?

  1. ^Ivanti Connect Secure Release Notes
  2. ^Ivanti Policy Secure Release Notes
  3. ^Ivanti nZTA Release Notes 22.8R1.4 nZTA Release Notes
  4. ^CVE Record: CVE-2025-0282
  5. ^NVD – CVE-2025-0282
  6. ^Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)
  7. ^Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
  8. ^T1190 – Exploit Public-Facing Application
  9. ^T1078 – Valid Accounts
  10. ^T1059 — Command and scripting interpreter (web shells / script droppers)
  11. ^Encrypted Channel, Technique T1573 – Enterprise | MITRE ATT&CK®
  12. ^Application Layer Protocol, Technique T1071 – Enterprise | MITRE ATT&CK®

CVSS Breakdown Table

MetricValue Description
Base Score9.0Severe remote RCE with large impact and exploitability (as reported by Ivanti / NVD)
Attack VectorNetworkExploitable remotely over the appliance’s network-facing interfaces
Attack ComplexityHighExploitation requires version-specific conditions and crafted IFT/TLS input
Privileges RequiredNoneNo authentication required to exploit
User Interaction NoneNo user action needed
Scope Changed Exploit can affect components beyond the vulnerable routine
Confidentiality Impact HighSuccessful exploit can disclose sensitive session/certificate/credential material
Integrity ImpactHighExploit allows arbitrary code execution and modification of system files
Availability ImpactHighExploit can disrupt appliance operation and enable persistent tampering

See How Fidelis Network® Cloud Simplifies and Strengthens Your Security

Download the Datasheet

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo