CVE-2025-0282

What is Ivanti Connect Secure?

Ivanti Connect Secure (formerly Pulse Connect Secure) is one of the most widely deployed enterprise SSL VPN platforms, used by thousands of organizations globally to provide remote employees and contractors with access to internal network resources. The appliance sits at the network perimeter, processing raw internet traffic to authenticate users before granting VPN access. Because it is internet-facing by design and handles unauthenticated connections, pre-authentication vulnerabilities on Connect Secure appliances carry the highest possible impact.

Ivanti Connect Secure has a history of severe vulnerabilities: CVE-2021-22893 (zero-day exploited by UNC2630 in 2021), CVE-2023-46805 and CVE-2024-21887 (2024 zero-days mass-exploited), and multiple flaws throughout 2024 and 2025.

Overview

CVE-2025-0282 is a pre-authentication stack-based buffer overflow (CWE-121) in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. It was exploited as a zero-day before the patch was released. The China-nexus threat actor UNC5221 deployed a sophisticated multi-component malware framework called SPAWN across compromised appliances, achieving persistence that survived firmware upgrades. CISA issued a 7-day mandatory remediation deadline simultaneously with the patch release, and followed up with Emergency Directive 25-01. Ransomware exploitation was also confirmed in addition to the initial espionage campaign.

Affected Versions

Technical Details

The vulnerability is a stack-based buffer overflow (CWE-121) in the NCSA (Network Communications Security Architecture) processing component of Ivanti Connect Secure. A specially crafted unauthenticated network request overflows a stack buffer during SSL/TLS connection handling, corrupting the stack and enabling arbitrary code execution.

The High attack complexity (AC:H) in the CVSS score reflects that reliable exploitation required knowledge of the target's memory layout — not trivial, but achievable for a sophisticated nation-state actor. The Changed scope (S:C) reflects that compromising the VPN gateway provides an attacker with access to the internal network it protects.

SPAWN malware framework deployed post-exploitation by UNC5221:

• SPAWNANT: Installer that patches the Ivanti upgrade mechanism, achieving persistence that survives firmware updates
• SPAWNMOLE: SOCKS5 tunneler enabling traffic proxying through the compromised device as a network foothold
• SPAWNSNAIL: SSH backdoor providing persistent remote shell access independent of the VPN service state
• SPAWNSLOTH: Log tamper tool that removes evidence of compromise from audit and diagnostic logs

CVE-2025-0282 was also chained with CVE-2025-0283 (local privilege escalation) to achieve full root-level OS compromise.

Discovery

Mandiant (Google Threat Intelligence Group) identified active zero-day exploitation and reported it to Ivanti, enabling coordinated patch release and public disclosure on January 8, 2025. Mandiant attributed the pre-patch campaign to UNC5221, a China-nexus espionage group previously linked to Ivanti exploitation in 2021 and 2024.

Exploitation Context

UNC5221 began exploiting CVE-2025-0282 before January 8, 2025. Mandiant's incident response uncovered SPAWN malware implants on compromised Connect Secure appliances globally. The SPAWNANT persistence mechanism is particularly notable: it patches the Ivanti upgrade process itself, meaning a compromised appliance that is patched but not factory-reset may retain the implant through subsequent patches.

CISA issued Emergency Directive 25-01 on January 16, 2025, requiring all federal agencies to either patch and run the Integrity Checker Tool or disconnect affected devices from federal networks within 48 hours. Ransomware-affiliated actors subsequently exploited the vulnerability following UNC5221's initial espionage campaign, which is why ransomwareUse: true is flagged.

Remediation

1. Apply patches: Connect Secure 22.7R2.5+, Policy Secure 22.7R1.2+, ZTA 22.8R2.2+.
2. Run Ivanti's Integrity Checker Tool (ICT) before and after patching — SPAWNANT survives firmware upgrades, so patching alone does not evict an existing implant.
3. Perform a factory reset if the ICT returns anomalous results or if compromise is suspected; this is the only reliable way to evict SPAWN.
4. Follow CISA Mitigation Instructions at the linked URL above for complete hunt activity and remediation guidance.
5. Hunt for SPAWN indicators: look for unexpected binaries in /home/perl/, modified Ivanti upgrade scripts, unexpected SOCKS5 proxy activity from the appliance, and unusual outbound SSH connections.
6. Rotate all credentials that were accessible through the VPN: LDAP/AD bind credentials stored in the appliance, user session tokens, certificates, and RADIUS secrets.
7. Restrict the management interface to a dedicated out-of-band management network; do not expose it to the internet.