CVE-2025-0282
Published: January 8, 2025
Official Description
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
CISA KEV Advisory
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Risk Analysis
Ivanti Connect Secure, Policy Secure, and ZTA Gateways are susceptible to a stack-based buffer overflow, leading to unauthenticated remote code execution. With an EPSS score of 0.94120 and confirmed exploitation by CISA, this is a critical vulnerability with a high likelihood of active exploitation.
This vulnerability is actively being exploited in the wild. Attackers can achieve unauthenticated remote code execution, making it a severe threat.
Apply the latest security updates and patches for Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Implement network hardening measures and monitor for suspicious activity.
Technical Analysis
CVE-2025-0282 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CISA has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
Exploit & PoC Resources
News & Research Mentioning CVE-2025-0282
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices. [...] [xlite_meta score:64 src:BleepingComputer xlite_fp:6c3816d6c835bbd80d64d027621c7b40edf1cf182b5e2f3a0b1f7475486bc26a]
All References (1)
Quick Facts
Known Threat Actors
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2025-0282 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1