{"id":6883,"date":"2025-01-10T16:37:54","date_gmt":"2025-01-10T22:37:54","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/critical-ivanti-rce-bug"},"modified":"2025-01-10T16:37:54","modified_gmt":"2025-01-10T22:37:54","slug":"threat-actors-exploit-a-critical-ivanti-rce-bug-again","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/10\/threat-actors-exploit-a-critical-ivanti-rce-bug-again\/","title":{"rendered":"Threat Actors Exploit a Critical Ivanti RCE Bug, Again"},"content":{"rendered":"
<\/a><\/div>\n

A Chinese threat actor is once again exploiting Ivanti remote access devices at large.<\/span><\/p>\n

If you had a nickel for every high-profile vulnerability affecting Ivanti appliances last year, you’d have a lot of nickels. There was the critical <\/span>authentication bypass in its Virtual Traffic Manager (vTM)<\/a><\/span>, the <\/span>SQL injection bug in its Endpoint Manager<\/a><\/span>, a <\/span>trio affecting its Cloud Services Appliance (CSA)<\/a><\/span>, <\/span>critical issues with its Standalone Sentry and Neurons for IT Service Management (ITSM)<\/a><\/span>, plus <\/span>dozens more<\/a><\/span>.<\/span><\/p>\n

It all started last January, when <\/span>two serious vulnerabilities<\/a><\/span> were discovered in Ivanti’s Connect Secure (ICS) and Policy Secure gateways. By the time of disclosure, the vulnerabilities were already being exploited by a suspected Chinese-nexus threat actor, UNC5337, believed to be an entity of UNC5221.<\/span><\/p>\n

Now, one year and one <\/span>secure-by-design pledge<\/a><\/span> later, threat actors have returned to haunt Ivanti all over again, via a <\/span>new critical vulnerability in ICS<\/a><\/span> which also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti has further warned of a second, slightly less severe bug that hasn’t been observed in exploits yet.<\/span><\/p>\n

“Just because we’re seeing these often doesn’t necessarily mean that they’re easy to pull off \u2014 it’s a highly sophisticated group that is doing this,” Arctic Wolf CISO Adam Marr\u00e8 points out, in defense of the downtrodden IT vendor. “Engineering is not easy, and secure engineering is even more difficult. So even though you may be following the principles of secure-by-design, that doesn’t mean that someone isn’t going to be able to come along and either with new technologies, or new techniques, and enough time and resources, hack in.”<\/span><\/p>\n

Related:<\/span>New AI Challenges Will Test CISOs & Their Teams in 2025<\/a><\/p>\n

2 More Security Bugs in Ivanti Devices<\/h2>\n

As yet unexploited (as far as researchers can tell) is CVE-2025-0283, a buffer overflow opportunity in ICS versions prior to 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. The “high” severity 7.0 out of 10-rated issue in the Common Vulnerability Scoring System (CVSS) could enable an attacker to escalate their privileges on a targeted device, but requires them to be authenticated first.<\/span><\/p>\n

CVE-2025-0282 \u2014 rated a “critical” 9.0 in CVSS \u2014 does not come with that same caveat, allowing for code execution as root with no authentication required. Ivanti disclosed few details regarding the exact cause of the issue, but researchers from watchTowr were able to <\/span>successfully reverse engineer an exploit<\/a><\/span> after comparing ICS’s patched and unpatched versions.<\/span><\/p>\n

Related:<\/span>Best Practices & Risks Considerations in LCNC and RPA Automation<\/a><\/p>\n

According to Mandiant, a threat actor began <\/span>exploiting CVE-2025-0282 in mid-December<\/a><\/span>, deploying the same “Spawn” family of malware tied to UNC5337 exploits of previous Ivanti bugs. Those tools include:<\/span><\/p>\n

\n