Network Security, Endpoint/Device Security

Emergency patch issued for Ivanti Connect Secure VPN flaw under attack

Detailed view of a computer screen with the word "HACKED" displayed prominently

(Adobe Stock)

An unpatched vulnerability in the Ivanti Connect Secure VPN has been under active attack.

Researchers with Google’s Mandiant Cloud security team said that one or more threat actors are currently exploiting CVE-2025-0282 for remote takeover attacks on targeted networks.

The flaw, originally exploited as a zero-day vulnerability, has since been given an emergency patch and administrators are being advised to update their appliances as soon as possible.

“Ivanti has been working closely with Mandiant, affected customers, government partners, and security vendors to address these issues,” wrote Mandiant researchers John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, and Jacob Thompson.

As a result of their investigation, Ivanti released patches for the vulnerabilities exploited in this campaign and Ivanti customers are urged to follow the actions in the Security Advisory to secure their systems as soon as possible.

The vulnerability itself is the result of a stack-based buffer overflow error. In practice, an attacker could send an intentionally malformed data request that would trigger a crash which would allow for code execution.

In short, an attacker could remotely take over a targeted appliance and use the compromised device to gain a foothold in the network and attack other systems and databases.

Mandiant also discovered and reported a second vulnerability, CVE-2025-0283, though that flaw is not currently under active exploit.

The Mandiant team did not say precisely how the vulnerabilities were being targeted or what precisely the threat actors were looking to do with the compromised systems. The team also said that there could be more than one threat actor targeting the vulnerability.

That said, at least a handful of the attacks have been attributed to a pair of known espionage threat actors with ties to China.

“It is possible that multiple actors are responsible for the creation and deployment of these various code families (i.e. SPAWN, DRYHOOK and PHASEJAM), but as of publishing this report, we don't have enough data to accurately assess the number of threat actors targeting CVE-2025-0282,” the Mandiant team explained.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Related

Ivanti VPN zero-day exploited by Chinese hackers

Attacks exploiting the vulnerability not only deployed the SPAWN malware previously launched by Chinese state-backed intrusions involving Ivanti Connect Secure bugs but also the novel PHASEJAM and DRYHOOK payloads in an attempt to compromise databases with credentials, API keys, VPN sessions, and certificates, a report from Mandiant researchers revealed.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BandwidthBastion HostBorder Gateway Protocol (BGP)BroadcastBroadcast AddressCircuit Switched NetworkDomain Name System (DNS)Endpoint SecurityEphemeral PortKeylogger

You can skip this ad in 5 seconds