Threats, exploitation, and mitigation of Ivanti’s two critical actively exploited vulnerabilities—CVE-2025-0282 and CVE-2025-0283—affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways.

Overview

On January 8, 2025, Ivanti disclosed two critical vulnerabilities—CVE-2025-0282 and CVE-2025-0283—affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways. These vulnerabilities expose enterprises to unauthenticated remote code execution (RCE) and privilege escalation risks. While Ivanti has released patches to address these issues, threat actor exploitation, particularly of CVE-2025-0282, has prompted a global response.

This blog aims to provide detailed insights into these vulnerabilities and their exploitation, offering valuable guidance for mitigating risks.

A Closer Look at CVE-2025-0282 and CVE-2025-0283

CVE-2025-0282: Remote Code Execution

• Type: Stack-based Buffer Overflow
• Severity: Critical (CVSS Score: 9.0)
• Impact: Enables unauthenticated attackers to execute arbitrary code remotely via the Ivanti Connect Secure appliance.
• Affected Versions:
  • Ivanti Connect Secure: Versions prior to 22.7R2.5.
  • Ivanti Policy Secure: Versions prior to 22.7R1.2.
  • Ivanti Neurons for ZTA Gateways: Versions prior to 22.7R2.3.

This vulnerability is actively being exploited, primarily against Ivanti Connect Secure appliances exposed to the internet. Threat actors use it to achieve remote code execution, enabling deep infiltration into enterprise environments.

Exploitation Process

Threat actors have demonstrated sophisticated exploitation techniques, as observed by Mandiant. The process often includes:

1. Identifying the Target Version: Repeated requests to the vulnerable appliance help attackers determine the firmware version.
2. Disabling Security Mechanisms: Threat actors disable SELinux and block syslog forwarding to evade detection.
3. Writing and Executing Malicious Scripts: Base64-encoded scripts are written to temporary directories and executed to deploy malware.
4. Deploying Web Shells: These enable attackers to maintain remote access.
5. Erasing Logs: Tools like sed are used to remove traces of exploitation from debug and application logs.

CVE-2025-0283: Privilege Escalation

• Type: Stack-based Buffer Overflow
• Severity: High (CVSS Score: 7.0)
• Impact: Allows local authenticated attackers to escalate privileges.
• Affected Versions: The same versions as CVE-2025-0282.

While CVE-2025-0283 has not been actively exploited, its potential to be chained with other vulnerabilities poses significant risks.

Mitigation

Ivanti released a patch for Connect Secure on January 8, and updates for Policy Secure and ZTA Gateways are slated for January 21.

Malware Deployment and Persistence

Initial attacks leveraged the vulnerability for remote code execution and to drop obfuscated webshell payloads onto compromised systems, according to Mandiant. These webshells enable persistent access and lateral movement within targeted networks.

Key IoCs Identified

• Webshell Samples:
  • SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668
  • Decoded functionality allowed attackers to execute system commands remotely.

• Attack Vectors:
  • Exploitation originated from anonymous VPN services and known malicious IP addresses.
  • Common suspicious usernames: SUPPORT87, SUPPOR817, and VPN.

• Post-Exploitation Activities:
  • Unauthorized security policy modifications, including opening access from WAN to LAN.
  • Deletion of forensic evidence to obscure attack traces.

• Geographic Patterns:
  • Concentrated attack origin in Europe, leveraging proxied IP addresses.

Key Threat Actor Activities

Mandiant has linked the exploitation campaign to China-affiliated groups, specifically UNC5337 and UNC5221, using malware families like SPAWN and PHASEJAM.

Here’s how these tools are weaponized:

• SPAWN Family Components:
  • SPAWNMOLE: A tunneler that hijacks network connections to establish communication with command-and-control (C2) servers.
  • SPAWNSNAIL: An SSH backdoor enabling persistent access.
  • SPAWNSLOTH: A log-tampering utility that obfuscates traces of malicious activity.

• PHASEJAM:
  • Inserts malicious web shells into Ivanti appliance files like getComponent.cgi.
  • Blocks legitimate system upgrades by modifying upgrade scripts.

Anti-Forensics Techniques

Threat actors erase critical logs, such as:

• Kernel messages (dmesg).
• State dumps and core dumps from crashes.
• SELinux audit logs.

These actions complicate incident response and forensic investigations.

CISA, ACSC, and NCSC have classified CVE-2025-0282 as a critical vulnerability, emphasizing its inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Their advisories stress that edge devices like VPNs are prime targets for attackers and require immediate patching.

Detection and Mitigation

Detection

Ivanti said, “Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix.”

Organizations are advised to use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise. However, ICT alone may not detect all malicious activity, especially if attackers have erased traces. Combining ICT results with endpoint detection and response (EDR) tools is crucial.

Mitigation

1. Patch Systems:
   • Update to Ivanti’s patched firmware versions:
     • Connect Secure: 22.7R2.5
     • Policy Secure and ZTA Gateways: 22.7R2.5 (available by January 21, 2025)

2. Reset Credentials:
   • Change all passwords for admin and user accounts, including VPN pre-shared keys.

3. Reconfigure Security Policies:
   • Remove unauthorized rules allowing broad access.

4. Monitor Network Activity:
   • Continuously monitor logs for unusual behavior or unauthorized access.

5. Enforce Network Segmentation:
   • Restrict management interfaces to trusted internal IP addresses only.

Key Agency Recommendations

• CISA: Advocates for enhanced monitoring of ICS appliances and swift adoption of fixes.
• ACSC: Warns against delayed patching, highlighting the potential for mass exploitation.
• NCSC: Stresses the importance of layered defenses and regular security assessments.

Best Practices for Enhanced Security

Cyble emphasizes the importance of adopting a proactive security strategy. Key recommendations include:

• Two-Factor Authentication (2FA): Enforce 2FA for all accounts to reduce the risk of unauthorized access.
• Log Monitoring: Use SIEM solutions to track anomalies in real time.
• Incident Response: Maintain a tested and updated incident response plan to mitigate the impact of breaches.
• Limit External Exposure: Disable internet-facing management interfaces wherever possible.

References:

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283

https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

https://www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalog

https://www.ncsc.gov.uk/news/active-exploitation-ivanti-vulnerability

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-ivanti-connect-secure-ivanti-policy-secure-and-ivanti-neurons-zta-gateways

The post Inside the Active Threats of Ivanti’s Exploited Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

Google Chrome and WordPress users face high-severity security threats. CyberSecurity Malaysia advises immediate updates to prevent potential exploits and safeguard data.

Overview

CyberSecurity Malaysia has recently notified users of critical vulnerabilities in two widely used software platforms: Google Chrome and the WordPress File Upload plugin. If exploited, these vulnerabilities could allow attackers to execute arbitrary code, escalate privileges, or cause disruptions.

Security updates have been issued, and users are strongly advised to apply these updates immediately to protect their systems.

This article provides an in-depth look at these vulnerabilities, their potential impacts, affected products, and recommended mitigation actions.

Google Chrome Security Update

Google has released security updates to address multiple vulnerabilities in the Chrome browser. These vulnerabilities have been categorized as high-severity risks and require immediate attention from users and administrators.

If successfully exploited, these vulnerabilities could enable attackers to:

• Execute arbitrary code on the target system.
• Escalate their privileges to gain unauthorized access.
• Cause denial-of-service (DoS) attacks on affected ChromeOS devices.

These threats underscore the importance of keeping software updated to prevent exploitation.

One of the critical vulnerabilities addressed in this update is:

• CVE-2025-0291 (High): This is a Type Confusion vulnerability in the V8 JavaScript engine. Type Confusion occurs when the program allocates or uses a resource in an unintended way, which could allow attackers to manipulate the system and execute malicious code.

Recommendations

CyberSecurity Malaysia advises all users and administrators to:

1. Review the latest Google Chrome release notes.
2. Update Chrome to the latest version without delay.
3. Regularly check for updates to ensure their browser remains secure.

WordPress File Upload Plugin Vulnerability

WordPress has issued a critical security update to address a vulnerability in its File Upload plugin. This vulnerability, if exploited, could have severe consequences for WordPress websites, particularly those using outdated versions of the plugin.

The vulnerability could allow unauthenticated attackers to:

• Execute remote code on the server.
• Read arbitrary files, potentially exposing sensitive information.
• Delete files, causing data loss and service disruptions.

With a high severity score of 9.8 on the CVSS scale, this vulnerability is categorized as critical and poses a significant threat to websites using the affected plugin.

Affected Products

• WordPress File Upload Plugin: Versions 4.24.15 and below are affected.
• Vulnerability Details:
  • CVE Identifier: CVE-2024-11613
  • Vulnerability Type: Improper Control of Code Generation (Code Injection).
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Researcher: Abrahack
  • Date of Public Disclosure: January 7, 2025

The vulnerability lies in the improper sanitization of the source parameter within the file wfu_file_downloader.php, which allows attackers to define their own directory paths. This flaw enables remote code execution, arbitrary file reading, and file deletion.

Recommendations

To protect their websites, CyberSecurity Malaysia urges WordPress users and administrators to:

1. Update the WordPress File Upload Plugin: Install version 4.25.0 or any newer patched version.
2. Regularly Monitor Plugin Updates: Ensure plugins are always up to date to prevent vulnerabilities.
3. Review the Official Wordfence Security Updates: Follow detailed guidance provided by WordPress security teams.

Patched versions can be found on the WordPress.org plugin page.

Key Takeaways

1. Act Quickly: The vulnerabilities in Google Chrome and WordPress File Upload plugin can lead to severe consequences, including unauthorized access, data breaches, and service disruptions. Immediate action is necessary to mitigate risks.
2. Stay Updated: Regularly updating software, browsers, and plugins is one of the most effective ways to defend against cyber threats.
3. Follow Trusted Sources: Always rely on credible sources such as Google, WordPress, and CyberSecurity Malaysia for updates and advisories.
4. Educate Yourself and Your Team: Awareness of such vulnerabilities and their potential impacts can help individuals and organizations build a proactive security posture.

Conclusion

Both Google and WordPress have acted swiftly to address these vulnerabilities, and now it’s up to users to ensure their systems and websites are secure. CyberSecurity Malaysia’s advisories serve as a crucial reminder of the need for consistent software updates and security monitoring.

By taking timely action, users and administrators can safeguard their digital assets and minimize the risk of exploitation.

Stay updated, stay protected!

Source:

• https://www.mycert.org.my/portal/advisory?id=MA-1233.012025
• https://www.mycert.org.my/portal/advisory?id=MA-1231.012025
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-file-upload/wordpress-file-upload-42415-unauthenticated-remote-code-execution-arbitrary-file-read-and-arbitrary-file-deletion
• https://chromereleases.googleblog.com/

The post CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe? appeared first on Cyble.

Blog – Cyble – ​Read More