And one more. In a security advisory posted to its site on January 8, IT security and management software company Ivanti warned that hackers had exploited a remote code execution vulnerability in some of its VPN solutions. This is a 0-day security flaw, meaning it began to be exploited before it was discovered or before it received a patch.
And “limited number of devices” hacked, according to Ivanti
The exploited vulnerability, referenced CVE-2025-282 and presenting a CVSS severity score of 9.0, is a critical stack-based buffer overflow bug. The American company specifies that a “limited number of Ivanti Connect Secure devices” were exploited by this flaw at the time of disclosure, with Connect Secure being one of the most widely used SSL VPN solutions in businesses. The vulnerability can also be exploited without authentication on its Policy Secure and Neurons for ZTA (Zero Trust Access) gateways.
Ivanti also discovered a second vulnerability (CVE-2025-283), of the same nature but less serious (CVSS 7.0), which the company did not “knowledge of no exploitation”. While the successful exploitation of the first security vulnerability “could lead to remote code execution” to then install malware, the second vulnerability could allow a “authenticated local attacker to elevate his privileges”. The software publisher has since confirmed that a patch was available for Connect Secure products, but that it would have to wait until January 21 for a first patch on Policy Secure and Neurons for ZTA.
CERT-FR, an organization for alerting and responding to computer attacks dependent on Anssi, published a bulletin on these vulnerabilities on January 9, giving the procedure to follow for the companies concerned. She says this security flaw remains “actively exploited”.
Mandiant suspects China-linked group
Threat analysis company Mandiant said yesterday that it had observed hackers exploiting this 0-day flaw in Connect Secure products since mid-December 2024. While it cannot, at this time, attribute these attacks to a specific actor, she explains having observed the deployment of malware in these products by UNC5337 and UNC5221. Both of these actors are spy groups linked to China.
-These new security flaws add to the long list of vulnerabilities in Ivanti products identified in recent months, affecting both the three solutions mentioned above as well as its endpoint monitoring tool (EPMM) and its device management tool Avalanche. At the beginning of last year, CISA, the American cybersecurity agency, was hacked following the exploitation of security flaws in Connect and Policy Secure. The authority then gave the country’s 102 federal agencies 48 hours to disconnect all Ivanti devices from their networks, before reconfiguring them.
Anssi keeps a watchful eye
Anssi also declared at the beginning of last year that around a hundred organizations in France had been targeted by a cyberattack after the exploitation of flaws in Ivanti products. Fortunately, little lateral movement had been observed, with cybercriminals mainly seeking to break into the systems of targeted companies.
Selected for you
Related News :