CVE-2025-0282 & CVE-2025-0283: Ivanti Zero-Day Vulnerabilities

Ivanti disclosed two critical zero-day vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for ZTA gateways. While the researchers have yet to link the attacks to any advanced persistent threat (APT) group, they have identified several malware samples on compromised systems, including the SPAWN ecosystem of malware as well as newly discovered malware such as a credential harvesting tool called DRYHOOK and a dropper called PHASEJAM.

Threat alert
January 9, 2025

Ivanti disclosed two critical zero-day vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for ZTA gateways. While the researchers have yet to link the attacks to any advanced persistent threat (APT) group, they have identified several malware samples on compromised systems, including the SPAWN ecosystem of malware as well as newly discovered malware such as a credential harvesting tool called DRYHOOK and a dropper called PHASEJAM.  

Both CVEs are stack-based buffer overflow vulnerabilities. Successful exploit of CVE-2025-0282  could allow unauthenticated remote attackers to execute code on affected devices, while CVE-2025-0283 enables local authenticated attackers to elevate privileges. Researchers have observed active exploitation of Connect Secure appliances only for CVE-2025-0282.

Exploitation risk is low for Ivanti Policy Secure as is not intended to be internet facing and for Ivanti Neurons for ZTA Gateways that cannot be exploited when in production. Risk arises for Ivanti Neurons if the gateway for the solution is generated and left unconnected to a ZTA controller.  

Vulnerable Versions

CVE-2025-0282:

  • Ivanti Connect Secure 22.7R2 through 22.7R2.4.
  • Ivanti Policy Secure 22.7R1 through 22.7R1.2.
  • Ivanti Neurons for ZTA 22.7R2 through 22.7R2.3.


CVE-2025-0283:

  • Ivanti Connect Secure 22.7R2.4 and earlier versions & 9.1R18.9 and prior
  • Ivanti Policy Secure 22.7R1.2 and earlier versions.
  • Ivanti Neurons for ZTA 22.7R2.3 and earlier versions.

Mitigations & Recommendations

Ivanti has released patches for Connect Secure (version 22.7R2.5). However, patches for Policy Secure and Neurons for ZTA are expected by January 21, 2025.  

Customers are strongly advised to apply the released patches for Connect Secure and use Ivanti’s Identity Checker Tool (ICT) which offers a snapshot of the current state of the appliance. If ICT results show signs of compromise, the vendor recommends a factory reset on the appliance and after to be patched to the version 22.7R2.5.  

Ivanti advisory can be found here