CVE-2025-0282 Critical Patch Available

CVE-2025-0282: Ivanti Connect Secure — Stack Overflow Zero-Day RCE

Vuln Brief Research Team · · CVSS 9

CVE Details

CVE ID CVE-2025-0282
CVSS Score 9
Severity Critical
Vendor Ivanti
Product Connect Secure / Policy Secure / Neurons for ZTA
Patch Status Available
Published April 11, 2026

Background

Ivanti Connect Secure (formerly Pulse Secure) has become one of the most targeted enterprise VPN products, with a history of critical zero-day vulnerabilities exploited by sophisticated threat actors. CVE-2025-0282 continues this pattern: a critical stack overflow vulnerability disclosed in January 2025, exploited as a zero-day before the patch was available, in campaigns assessed to involve Chinese state-sponsored threat actors.

Mandiant discovered active exploitation of CVE-2025-0282 during incident response activities and reported it to Ivanti, who released a patch on January 8, 2025. The attack vector, impact, and post-exploitation behaviour closely mirror the January 2024 CVE-2023-46805/CVE-2024-21887 exploitation campaign by the same or associated threat actors.

Technical Mechanism

CVE-2025-0282 is a stack-based buffer overflow (CWE-121) in the pre-authentication component of Ivanti Connect Secure. Stack buffer overflows occur when data copied to a stack-allocated buffer exceeds the buffer’s capacity, overwriting adjacent stack memory including saved return addresses and function pointers.

The vulnerable component processes network requests before any authentication occurs. A specially crafted request causes an oversized data copy operation onto the stack:

// Conceptual vulnerable pattern
void process_connection(const char *request_data, size_t request_len) {
    char buffer[FIXED_SIZE];  // Stack-allocated buffer
    
    // Dangerous: copies up to request_len bytes without checking FIXED_SIZE
    memcpy(buffer, request_data, request_len);  // Stack overflow if request_len > FIXED_SIZE
    
    process_parsed_request(buffer);
}

Exploit development for stack overflows on modern systems requires bypassing:

  • Stack canaries: Detect stack corruption; bypassed via information leak or by targeting canary-exempt code paths
  • NX/DEP: Non-executable stack; bypassed using Return-Oriented Programming (ROP) — chaining existing executable code gadgets
  • ASLR: Address Space Layout Randomization; bypassed via information leak from a separate vulnerability or by targeting code segments with predictable addresses

Ivanti appliances run a custom Linux environment. Advanced threat actors targeting these appliances have demonstrated capability to develop reliable exploits despite these mitigations, leveraging information from prior public analysis of Ivanti’s codebase.

The exploit requires sending a crafted packet to the Ivanti Connect Secure VPN service port (443), achieving code execution as root in the VPN daemon process.

Real-World Exploitation Evidence

Mandiant’s analysis of CVE-2025-0282 exploitation documented sophisticated post-exploitation activity:

  • SPAWN malware ecosystem: Mandiant documented a multi-component malware framework dubbed SPAWN, deployed post-exploitation. Components included:
    • SPAWNANT: An installer that ensures malware persistence across device upgrades
    • SPAWNMOLE: A tunneler that creates encrypted tunnels through the appliance for C2 communications
    • SPAWNSNAIL: An SSH backdoor on the appliance’s internal SSH service, providing persistent access
  • Attribution: Mandiant attributed the exploitation to UNC5337, assessed to be linked to UNC5221 — the same or affiliated Chinese state-sponsored group responsible for the January 2024 exploitation campaign.
  • Targeted scope: Unlike broad criminal exploitation, initial exploitation appeared targeted at specific government, defence, and critical infrastructure organisations.
  • Persistence through upgrades: The SPAWN malware was specifically designed to survive firmware upgrades, demonstrating deep product knowledge and intent for long-term access.

Impact Assessment

Root access on a VPN appliance at the network perimeter provides:

  • Network authentication credential interception: All VPN authentication traffic passes through the appliance; credentials can be harvested.
  • Persistent network-level access: The compromised appliance provides a permanent foothold inside the target network that is extremely difficult to detect and remove.
  • Traffic inspection: TLS termination can be manipulated to expose encrypted traffic contents.
  • Lateral movement platform: The appliance has trusted internal network access, enabling reconnaissance and attacks against internal systems.
  • Survival through remediation: The SPAWN malware’s ability to persist through firmware upgrades means basic remediation steps may be insufficient.

Affected Versions

ProductAffected VersionsFixed Version
Ivanti Connect Secure22.7R2.4 and earlier22.7R2.5+
Ivanti Policy Secure22.7R1.1 and earlier22.7R1.2+
Ivanti Neurons for ZTA22.7R2.3 and earlier22.7R2.5+

Remediation Steps

  1. Apply patches: Update to Connect Secure 22.7R2.5 or later. Policy Secure and ZTA Gateways have separate fix versions.

  2. Run Ivanti’s Integrity Checker Tool (ICT) first: Before patching, run the ICT to detect the SPAWN malware ecosystem:

    • External ICT (cloud-based): More thorough detection
    • Local ICT: Maintenance > Diagnostics > Integrity Check

  3. Factory reset before patching: Ivanti and CISA recommend performing a factory reset before applying the patch if compromise is suspected — the SPAWN malware may not be fully removed by patching alone.

  4. Monitor for SPAWN persistence post-patch: Even after factory reset and patching, monitor for signs of SPAWNANT reinstallation via network traffic to C2 infrastructure.

  5. Treat all credentials as compromised: Rotate all credentials that may have been processed through the VPN appliance.

  6. Review CISA KEV supplemental guidance: CISA issued specific guidance on responding to Ivanti Connect Secure compromises given the persistence mechanisms involved.

Detection Guidance

Log sources:

  • Ivanti Connect Secure system log: Maintenance > Diagnostics > System Logs
  • Integrity Checker Tool output
  • Network monitoring for unusual outbound connections from VPN appliance IP

SPAWN malware indicators:

  • Modifications to /home/webserver/htdocs/dana-na/ or similar web directories
  • Unusual SSH processes or listening on unexpected ports
  • Outbound TCP connections from appliance IP to non-Ivanti IPs on ports 443, 4444, or 8443
  • ICT reports of failed file hash verification

Suricata signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Ivanti Connect Secure CVE-2025-0282 SPAWN C2 Beacon"; flow:established,to_server; dsize:32; content:"|00 00 00|"; depth:3; threshold:type both, track by_src, count 3, seconds 30; sid:9002502; rev:1;)

Timeline

DateEvent
December 2024Exploitation begins (estimated based on Mandiant analysis)
January 2, 2025Mandiant observes exploitation during incident response
January 8, 2025Ivanti releases advisory and patches for CVE-2025-0282
January 8, 2025CISA adds CVE-2025-0282 to KEV catalogue
January 9, 2025CISA Emergency Directive on Ivanti Connect Secure
January 2025Mandiant publishes SPAWN malware analysis
January 2025Additional exploitation confirmed at government and defence sector organisations

Tags

ivanticonnect-securestack-overflowrcezero-dayvpncisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco