Ivanti zero-day patching increases amid ongoing attacks

Security researchers say organizations appear to be rapidly mitigating the latest critical Ivanti zero-day vulnerability, which was exploited by Chinese nation-state hackers last week.

On Jan. 9, Ivanti disclosed that attackers exploited a stack-based buffer overflow zero-day vulnerability, tracked as CVE-2025-0282, that affects Ivanti Connect Secure, Ivanti Policy Secure and ZTA Gateways. Mandiant connected the attacks to UNC5337, a Chinese nexus actor linked last year to the exploitation of two other Ivanti zero-day flaws -- CVE-2023-46805 and CVE-2024-21887. Both Mandiant and Ivanti urged users to patch, as Ivanti products have become popular targets in recent years.

The Shadowserver Foundation, a nonprofit cybersecurity organization, conducted scans of vulnerable Ivanti instances and found that organizations are patching efficiently. Shadowserver scans taken Jan. 9 showed 2,048 vulnerable Ivanti instances remained worldwide, with the majority located in the U.S. As of Monday, the number dropped to 703.

Informa TechTarget asked Shadowserver how those numbers compared to previous patching rates for CVE-2023-46805 and CVE-2024-21887. While comparison to CVE-2025-0282 was difficult, Shadowserver CEO Piotr Kijewski provided some good news regarding the most recent patch management.

"For the previous flaws you referenced, we had a different scan methodology, and there were also mitigation possibilities we could not detect remotely, so it would be hard to compare," Kijewski said. "It seems, in this case, the patching is reasonably fast, though."

Scott Caveza, a staff research engineer at Tenable, agreed that organizations have responded quickly to remediating CVE-2025-0282. He also highlighted challenges organizations face when patching devices such as SSL VPNs, which he referred to as the "most critical devices for organizations." For example, he said patching can require scheduled downtime, advanced notice to employees, management approvals and backup plans in place.

"Despite the potential technical and operational hurdles, the remediation rate for this vulnerability is promising," Caveza said. "Ideally, we'd see close to 100% remediation at this point, given the nature of the device and the known vulnerability, but there will always be organizations that delay patching out of necessity. Regardless of the reason, patching CVE-2025-0282 should be at the top of the priority list."

While organizations appear to be patching CVE-2025-0282 swiftly, the good news could be short-lived. Caitlin Condon, director of vulnerability intelligence at Rapid7, told Informa TechTarget that she expected to see an initial wave of patching because the zero-day flaw received a high rate of media attention and infosec community discussion. While she couldn't comment on Shadowserver's findings, she offered another reason behind the decrease in vulnerable Ivanti instances.

"It's also possible that some organizations removed their Ivanti devices from the public internet but did not actually patch them," Condon said.

Similarly, Eric Schwake, director of cybersecurity strategy at Salt Security, said that while the patching rate over the last week indicates a favorable trend, it may not sustain. He raised concerns regarding the hundreds of unpatched instances that remain and put organizations at risk of potential attacks. "Although the reduction in vulnerable instances is promising, the rate of patching remains less than optimal. Critical vulnerabilities, particularly those with publicly accessible exploits, require urgent patching," Schwake said.

Ivanti did not respond to requests for comment at press time.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.