Ivanti (Multiple Products and Versions) - Arbitrary Code Execution (RCE) via Stack-Based Buffer Overflow (CVE-2025-0282)
Description
Context
Ivanti Connect Secure (ICS) (formerly known as Pulse Connect Secure) provides an SSL VPN solution for remote and mobile users to connect to corporate resources from any web-enabled device. It also enables endpoint security posture assessment for mobile and desktop computing devices, and quarantine and remediation if necessary. Ivanti Policy Secure (IPS) is a network access control (NAC) solution which provides network access only to authorized and secured users and devices. It protects networks, mission critical applications and sensitive data through comprehensive NAC management, visibility, and monitoring. It is designed to reduce the cost and complexity of delivering and deploying granular, identity, and role enabled access controls.
Vulnerability Summary
A stack-based buffer overflow exists in Ivanti software.
Technical Details
The Ivanti software performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. A stack-based buffer overflow condition is a condition where the buffer being overwritten is specifically allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). This can occur for example by declaring an automatic variable on the stack that is too large, e.g.: int foo() { int array[1000000]; }
Impact If Exploited
Successful exploitation could result in unauthenticated remote execution of arbitrary (malicious) code. Due to the nature of Ivanti networking solutions, compromise of the Ivanti platform could also additionally lead to potential downstream compromise of further (previously screened) systems, appliances and software within the targeted network.
Threat Landscape & Known Exploitation
This vulnerability has been reported by both the vendor (Ivanti) as well as the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of December 2024. Ivanti and its affected customers identified the compromise based on indications from the company-supplied Integrity Checker Tool (“ICT”) along with other commercial security monitoring tools beginning mid-December 2024. In observed exploitation activity, the attackers have leveraged the vulnerability to install malware from a malware family tracked as Spawn, which includes a backdoor. The Spawn malware has previously been attributed to a China-tied espionage group tracked as UNC5337. UNC5337 group has been tentatively reported to be part of UNC5221, a threat group that was previously observed exploiting Ivanti product vulnerabilities such as CVE-2023-46805 and CVE-2024-21887. Victims of those attacks included MITRE and CISA.
CISA have previously published warnings of the earlier, active exploitation of other vulnerabilities in Ivanti's product line, including most recently CVE-2024-9379 in October 2024.
Affected Product Versions
Ivanti Connect Secure before version 22.7r2.5
Ivanti Policy Secure before version 22.7r1.3
Ivanti Neurons for ZTA gateways before version 22.7r2.5
Indicators of Compromise (IoC)
(An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached. These often include IP addresses involved in known exploitations. AppCheck provides this information both so that so customers can investigate potential breach, as well as take proactive actions such as blocking known malicious IPs or URIs in firewalls and application delivery controllers (IPs and URLs) or adding File Integrity Check rules (hashes)).
Ivanti has not publicly published a list of indicators of compromise (IoC) at the time of writing. However, the vendor reports that exploitation of the vulnerabilities can be identified by running the company's 'Integrity Checker Tool' (ICT). Additionally, Ivanti state that Indicators of Compromise will be shared with customers that have confirmed impact to move them forward in their forensics investigation. If customers require additional information, they should open a ticket with Ivanti support.
Third-Party security researchers have additionally published the following reported IoCs:
Code Family / Filename / Description:
DRYHOOK | n/a | Credential Theft Tool
PHASEJAM | /tmp/s | Web Shell dropper
PHASEJAM Webshell | /home/webserver/htdocs/dana-na/auth/getComponent.cgi | Web Shell
PHASEJAM Webshell | /home/webserver/htdocs/dana-na/auth/restAuth.cgi | Web Shell
SPAWNSNAIL | /root/home/lib/libsshd.so | SSH backdoor
SPAWNMOLE | /root/home/lib/libsocks5.so | Tunneler
SPAWNANT | /root/lib/libupgrade.so | Installer
SPAWNSLOTH | /tmp/.liblogblock.so | Log tampering utility
Remediation
Official Remediation Guidance
Ivanti has rushed out security patches for Ivanti Connect Secure, which are resolved in firmware version 22.7R2.5. However, patches for Ivanti Policy Secure and Ivanti Neurons for ZTA Gateways will not be ready until January 21 2025, according to a security bulletin published at time of writing.
NOTE: Ivanti still recommends admins perform a factory reset before upgrading to patched versions, in order to remove any potential malware.
Patches will be made available for download for all supported versions of the product once published via the download portal.
Due to ongoing active exploitation of this vulnerability, prioritisation should be given to the urgent remediation of vulnerable systems.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Temporary Mitigation & Workarounds
Ivanti has additionally advised that customers should always ensure that their IPS appliance is configured according to Ivanti recommendations and not expose it to the internet.
Ivanti also recommends all Connect Secure admins perform internal and external scans using their Integrity Checker Tool (ICT). If the scans come up clean, Ivanti still recommends admins perform a factory reset before upgrading to a patched version.
NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.
References
Vendor Advisories
Third-Party Analysis & Threat Intelligence
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/
https://www.ncsc.gov.uk/news/active-exploitation-ivanti-vulnerability
https://www.securityweek.com/exploitation-of-new-ivanti-vpn-zero-day-linked-to-chinese-cyberspies/
Proof of Concept (PoC) and Exploit Code
TBC
Risk
Versions
Information
- Category
- Buffer Overflow
- CWE
- CWE-121
- CVE
- Known Exploitation Activity
OWASP
- OWASP 2013
- Unknown
- OWASP 2017
- Unknown
- OWASP 2021
- Unknown