Source URL: https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/
Source: Unit 42
Title: Threat Brief: CVE-2025-0282 and CVE-2025-0283
Feedly Summary: CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case.
The post Threat Brief: CVE-2025-0282 and CVE-2025-0283 appeared first on Unit 42.
AI Summary and Description: Yes
**Summary:** The text details the discovery and exploitation of two critical vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s remote access products, highlighting their severe implications for network security. This information is crucial for security professionals, emphasizing the urgent need for patching and monitoring to mitigate risks.
**Detailed Description:**
The analysis discusses significant vulnerabilities within Ivanti’s appliances that enable remote connections, making them attractive targets for attackers.
– **Vulnerabilities Identified:**
– **CVE-2025-0282:**
– A stack-based buffer overflow allowing remote unauthenticated code execution.
– Critical CVSS score: 9.0.
– Potential for attackers to gain initial access to internal networks.
– **CVE-2025-0283:**
– A stack-based buffer overflow enabling local authenticated attackers to escalate privileges.
– High CVSS score: 7.0.
– **Context of the Vulnerabilities:**
– Affected products include Connect Secure, Policy Secure, and ZTA gateways, which are outward-facing and subject to direct attacks.
– First detected exploitation activities reported by Mandiant soon after Ivanti’s advisory.
– **Attack Sequence Overview:**
– **Initial Access:** Exploit of CVE-2025-0282 to establish a foothold in the network.
– **Credential Harvesting:** Utilization of scripts and tools to gather sensitive credentials and enable further lateral movement within the network.
– **Defense Evasion:** Actions taken to erase digital footprints, such as deleting log files.
– **Persistence:** Threat actors leveraging backdoors and scheduled tasks for continuous access.
– **Tools and Techniques Used:**
– Custom scripts for credential harvesting.
– Legitimate tools used maliciously (e.g., MSBuild.exe for memory dumping).
– Identification of backdoor persistence through DLL sideloading techniques.
– **Recommendations for Security Practices:**
– Immediate application of patches provided by Ivanti to mitigate identified vulnerabilities.
– Continuous monitoring of network activity through tools like the Integrity Checker Tool (ICT).
– Use of Palo Alto Networks security solutions, which provide updates and protections against the identified threats.
– **Indicators of Compromise (IoC):**
– A list of C2 (Command and Control) IP addresses and specific file hashes associated with the threats was provided to enhance defensive measures.
This report serves as a critical resource for security professionals, laying out a comprehensive view of current risks within the Ivanti product family and actionable steps for mitigating them. The emphasis on timely patching and proactive monitoring highlights the importance of a well-rounded security posture in response to emerging vulnerabilities. The collaboration with partners like Palo Alto Networks for enhanced protective measures further emphasizes a community-centric approach to cybersecurity amidst evolving threats.