Urgent Security Alert: Hackers Target New Ivanti VPN Vulnerability to Breach Company Networks
U.S. software giant Ivanti has raised alarms regarding a newly discovered zero-day vulnerability in its popular enterprise VPN appliance. This critical security flaw poses a serious risk to the networks of its corporate customers, highlighting the urgent need for organizations to take proactive measures to secure their systems.
Details of the Ivanti VPN Vulnerability
On Wednesday, Ivanti disclosed that the vulnerability, identified as CVE-2025-0282, can be exploited without any authentication. This allows attackers to remotely inject malicious code into Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways products. Notably, Ivanti’s Connect Secure remote-access VPN is described as “the most widely adopted SSL VPN by organizations of every size, across every major industry.”
Previous Security Concerns
This is not the first time Ivanti has faced security challenges. Following a series of mass hacks against its products last year, the company committed to enhancing its security protocols. The recent vulnerability was detected by Ivanti’s Integrity Checker Tool (ICT), which flagged suspicious activity on certain customer appliances.
Active Exploitation and Immediate Response
In an advisory released on Wednesday, Ivanti confirmed that threat actors are actively exploiting CVE-2025-0282 as a zero-day vulnerability. This designation indicates that the company was unaware of the threat until it was already being utilized by hackers, resulting in a breach of a limited number of customer systems.
- Ivanti currently offers a patch for Connect Secure.
- Patches for Policy Secure and ZTA Gateways will be available by January 21.
- A second vulnerability, CVE-2025-0283, has been identified but remains unexploited.
Impact on Customers and Ongoing Investigations
While Ivanti has not disclosed the number of affected customers or the identity of the attackers, incident response firm Mandiant and Microsoft researchers identified the vulnerability. Mandiant noted that hackers began exploiting this zero-day as early as mid-December 2024. The firm suspects that a China-linked cyberespionage group, designated as UNC5337 and UNC5221, may be behind these attacks. This group previously exploited two zero-day vulnerabilities in Connect Secure in 2024, leading to significant breaches.
Expert Opinions and Recommendations
Ben Harris, CEO of security research firm watchTowr Labs, emphasized the widespread impact of this vulnerability and urged organizations to take immediate action. He stated that the attacks exhibit the characteristics of an advanced persistent threat using a zero-day against a crucial appliance.
Official Advisories and Future Precautions
The U.K.’s National Cyber Security Centre is currently investigating reports of active exploitation affecting U.K. networks. Similarly, the U.S. cybersecurity agency CISA has added the vulnerability to its catalog of known-exploited vulnerabilities, further underscoring the seriousness of this threat.
In light of these developments, organizations using Ivanti products are strongly encouraged to apply available patches, monitor their systems for unusual activity, and remain vigilant against potential cyber threats.
