Source: The Hacker News Author: info@thehackernews.com (The Hacker News) URL: https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html
-
ONE SENTENCE SUMMARY: A critical security flaw in Ivanti products has been actively exploited, leading to unauthenticated remote code execution.
-
MAIN POINTS:
-
Ivanti Connect Secure, Policy Secure, and ZTA Gateways are affected by CVE-2025-0282.
-
CVE-2025-0282 has a CVSS score of 9.0, indicating critical severity.
-
Successful exploitation allows unauthenticated remote code execution vulnerabilities.
-
Mandiant linked attacks to the SPAWN malware ecosystem and China-nexus group UNC5337.
-
PHASEJAM modifies Ivanti components and blocks system upgrades covertly.
-
Attackers executed multiple steps to disable SELinux and install malware.
-
Evidence suggests sophisticated threat actor techniques, including log entry removal.
-
CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog.
-
Users urged to apply patches by January 15, 2025, due to active exploitation.
-
Internal reconnaissance and credential harvesting are among the post-exploitation activities.
-
TAKEAWAYS:
-
Prompt patching is necessary to mitigate critical vulnerabilities in Ivanti products.
-
Awareness of emerging malware threats can help organizations bolster cybersecurity defenses.
-
Continuous monitoring and incident reporting can identify and mitigate exploitation signs.
-
Organizations must recognize the methods used by sophisticated threat actors.
-
Collaboration with cybersecurity agencies can enhance threat intelligence sharing and response.