NAVANEM
CVE-2025-0282⚡ exploited in the wild

Ivanti Connect Secure / Policy Secure / ZTA, stack buffer overflow pre-auth RCE

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

Overview

CVE-2025-0282 is a critical stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. This pre-authentication remote code execution (RCE) vulnerability allows unauthenticated network attackers to execute arbitrary code as root on vulnerable appliances. The vulnerability was exploited as a zero-day starting in December 2024 by UNC5337, a threat actor suspected to have ties to China. This marks the second major pre-authentication RCE affecting the Ivanti Connect Secure product line within 12 months, following the CVE-2023-46805 and CVE-2024-21887 chain from early 2024.

Technical Details

The vulnerability exists in the Connect Secure web stack, specifically in the IF-T/TLS handshake path. An attacker can send a specially crafted HTTP request to trigger a stack-based buffer overflow condition. Successful exploitation grants the attacker code execution with root privileges on the appliance, requiring no prior authentication.

The vulnerability is classified as a stack-based buffer overflow (CWE-121). The attack vector is network-based, meaning any Internet-exposed appliance is at risk from remote attackers without requiring user interaction or special privileges.

Impact

Successful exploitation results in complete appliance compromise with root-level access. Attackers gain access to sensitive credentials stored on the appliance, including Active Directory bind credentials, RADIUS secrets, and SAML signing certificates. The compromised appliance can serve as a pivot point for lateral movement into the internal network.

Mandiant attributed active exploitation to UNC5337 (with suspected overlap to UTA0178/UNC5221 clusters), documenting deployment of multiple malware families including SPAWN, DRYHOOK, and PHASEJAM on compromised appliances. The blast radius mirrors the 2024 Ivanti incident chain, representing a significant threat to enterprise environments.

Mitigation

  1. Apply patches immediately: Upgrade to Connect Secure 22.7R2.5, Policy Secure 22.7R1.2, or ZTA Gateways 22.7R2.3
  2. Run Integrity Checker Tool (ICT) against all appliances, both internal and external-facing
  3. Assume compromise for any Internet-exposed appliance during the exposure window, rebuild from clean OVA images
  4. Rotate all credentials the appliance had access to, including AD bind accounts, RADIUS shared secrets, and SAML signing certificates

Detection

Organizations should utilize Ivanti's Integrity Checker Tool (ICT) to scan for indicators of compromise on all appliances. Monitor for the presence of SPAWN, DRYHOOK, and PHASEJAM malware families. Review logs for anomalous HTTP requests targeting the IF-T/TLS handshake path. Network monitoring for unusual outbound connections from Ivanti appliances may also indicate compromise.