HOMEVULNERABILITIESCVE-2025-0282
HIGHCISA KEVIN THE WILD

CVE-2025-0282

Published: January 8, 2025

EPSS:94.12%probability of exploitation in 30 daysPercentile:99.9th

Official Description

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.

NVD Source

CISA KEV Advisory

Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.

Added to KEV: 2025-01-08Federal patch deadline: 2025-01-15⚠ USED IN RANSOMWARE CAMPAIGNS
Required Action (CISA)

Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.

Risk Analysis

Ivanti Connect Secure, Policy Secure, and ZTA Gateways are susceptible to a stack-based buffer overflow, leading to unauthenticated remote code execution. With an EPSS score of 0.94120 and confirmed exploitation by CISA, this is a critical vulnerability with a high likelihood of active exploitation.

This vulnerability is actively being exploited in the wild. Attackers can achieve unauthenticated remote code execution, making it a severe threat.

Recommended Action

Apply the latest security updates and patches for Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Implement network hardening measures and monitor for suspicious activity.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2025-0282 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CISA has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2025-0282

CISA warns that RESURGE malware can be dormant on Ivanti devices
BleepingComputer· Feb 27, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices. [...] [xlite_meta score:64 src:BleepingComputer xlite_fp:6c3816d6c835bbd80d64d027621c7b40edf1cf182b5e2f3a0b1f7475486bc26a]

All References (1)

Quick Facts

CVE IDCVE-2025-0282
SeverityHIGH
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)94.12%
PublishedJan 8, 2025

Known Threat Actors

wa
financial
core
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-0282 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.