Critical Ivanti Connect Secure zero-day flaw under attack

A critical vulnerability that affects Ivanti's Connect Secure, Policy Secure and ZTA gateways products is under attack, the network security vendor disclosed Wednesday.

The vulnerability, tracked as CVE-2025-0282 , is a stack-based buffer overflow vulnerability that received a 9.0 CVSS score. The zero-day flaw affects Ivanti Connect Secure versions prior to 22.7R2.5, Ivanti Policy Secure versions prior to 22.7R1.2, and Ivanti Neurons for ZTA gateways versions prior to 22.7R2.3. According to an Ivanti security advisory published Wednesday, the flaw "allows a remote unauthenticated attacker to achieve remote code execution."

Ivanti also disclosed CVE-2025-0283, a stack-based buffer overflow vulnerability that affects the same versions of Ivanti's products but enables a local authenticated attacker to escalate privileges. CVE-2025-0283 is a high-severity vulnerability with a 7.0 CVSS score.

Ivanti said in its security advisory that the company is "aware of a limited number of customers' Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure" but is not aware of the CVEs being exploited in Policy Secure or ZTA gateways. The vendor said it is not aware of exploitations affecting CVE-2025-0283 at time of disclosure. Exploitation of CVE-2025-0282 is detectable with Ivanti's Integrity Checker Tool (ICT).

Mandiant and Microsoft's Threat Intelligence Center were credited in the advisory. Ivanti said it discovered CVE-2025-0283 during threat hunting for the zero-day vulnerability. Patches are available now for vulnerable versions of Ivanti Connect Secure. In the case of Policy Secure and ZTA gateways, Ivanti plans to make patches available Jan. 21.

In a blog post published alongside the advisory Wednesday, Ivanti said it detected threat actor activity via the ICT on the same day said activity occurred, "enabling Ivanti to respond promptly and rapidly develop a fix.

"We continue to work closely with affected customers, external security partners, and law enforcement agencies as we respond to this threat," the blog post read. "We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure."

CVE-2025-0282 marks the latest Ivanti zero day to be disclosed in the past 12 months. In October, Ivanti disclosed that threat actors were chaining vulnerabilities together to target Cloud Service Application customers. Last January, two Ivanti Policy and Connect Secure zero-days, CVE-2023-46805 and CVE-2024-21887, faced massive exploitation and led to multiple victims, including CISA.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.