Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
Ivanti has disclosed vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS) and Ivanti Neurons for Zero Trust Access (ZTA) Gateways. According to Ivanti, CVE-2025-0282 has been exploited on a limited number of ICS appliances. There are no confirmed reports of exploitation for Ivanti Policy Secure or ZTA Gateways. There is no indication that CVE-2025-0283 is actively exploited or chained.
CVE-2025-0282 - CVSS:9.0
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2 and Ivanti Neurons for ZTA gateways before version 22.7R2.3, allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2025-0283 - CVSS:7.0
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2 and Ivanti Neurons for ZTA gateways before version 22.7R2.3, allows a local authenticated attacker to escalate their privileges.
Previous Exploitations
During previous exploitation of high profile Ivanti vulnerabilities in January 2024, Kroll observed mass exploitation and web shell deployment soon after the release of the advisory, it is therefore prudent to be prepared and take mitigative actions as soon as possible.
Kroll is aware that this activity has been attributed to a subgroup of a Chinese APT Kroll tracks as KTA399
Mitigation for CVE-2025-0282 and CVE-2025-0283
Ivanti provides an Internal or External Integrity Checker Tool (ICT) for assessing devices for compromise. The latest External ICT version ICT-V22725 is only designed to operate with version 22.7R2.5 and above ICS Releases.
Note: Kroll highly recommends that the ICT tool is executed, and the output saved to preserve artifacts for further analysis, before factory resetting or updating devices.
Refer to the Ivanti Advisory for information on executing the tool, up-to-date information, and advice on patching and mitigation.
Below are some key recommendations from Kroll’s Cyber Threat Intelligence (CTI) Team:
- For ICS: Upgrade to 22.7R2.5. Monitor for potential compromise using the ICT and other security tools. Perform a factory reset if suspicious files or activity are identified.
- For IPS: Follow Ivanti’s guidance to keep the appliance non-internet-facing until the patch is released.
- For ZTA Gateways: Ensure gateways are not left unconnected to a ZTA controller. Apply the upcoming patch once available.
Note: Kroll’s CTI Team has further frontline information including indicators of compromise from affected clients. If you need further information or assistance from our CTI Team, please do get in touch with us.
