U.S. software giant Ivanti has warned that a zero-day vulnerability in its widely-used enterprise VPN appliance has been exploited to compromise the networks of its corporate customers.
Ivanti said on Wednesday that the critical-rated vulnerability, tracked as CVE-2025-0282, can be exploited without any authentication to remotely plant malicious code on Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways products. Ivanti says its Connect Secure remote-access VPN solution is “the most widely adopted SSL VPN by organizations of every size, across every major industry.”
This is the latest exploited security vulnerability to target Ivanti’s products in recent years. Last year, the technology maker pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers.
The company said it became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.
In an advisory post published on Wednesday, Ivanti confirmed threat actors were actively exploiting CVE-2025-0282 “as a zero-day,” which means the company had no time to fix the vulnerability before it was discovered and exploited, and that it was aware of a “limited number of customers,” whose Ivanti Connect Secure appliances were hacked.
Ivanti said a patch is currently available for Connect Secure, but that patches for Policy Secure and ZTA Gateways — neither of which have confirmed exploitability — won’t be released until January 21.
The company said it also discovered a second vulnerability, tracked as CVE-2025-0283, which has not yet been exploited.
Ivanti has not said how many of its customers are affected by the hacks or who is behind the intrusions. Spokespeople for Ivanti did not respond to TechCrunch’s questions by press time.
Incident response firm Mandiant, which discovered the vulnerability along with researchers at Microsoft, said in a blog post published late Wednesday that its researchers had observed hackers exploiting the Connect Secure zero-day as early as mid-December 2024.
In an email to TechCrunch, Mandiant said that while it can’t attribute the exploitation to a specific threat actor, it suspects a China-linked cyberespionage group — tracked by its designations UNC5337 and UNC5221. This is the same cluster of threat group activity that exploited two zero-day flaws in Connect Secure in 2024 to launch mass hacks against Ivanti customers, Mandiant said in its blog post on Wednesday.
Ben Harris, CEO of security research firm watchTowr Labs, told TechCrunch in an email that the company has seen “widespread impact” as a result of this latest Ivanti VPN flaw and has “been working with clients all day to make sure they’re aware.”
Harris added that this vulnerability is of significant concern as the attacks have “all the hallmarks of [an advanced persistent threat] usage of a zero-day against a mission-critical appliance,” and urged everyone to “please take this seriously,” he said.
The U.K.’s National Cyber Security Centre said in an advisory that it was “investigating cases of active exploitation affecting U.K. networks.” U.S. cybersecurity agency CISA also added the vulnerability to its catalog of known-exploited vulnerabilities.
