Summary

On January 8, 2025, Ivanti disclosed two critical vulnerabilities, and, impacting Ivanti Connect Secure (ICS) VPN appliances. Notably, has been exploited in the wild since December 2024. This vulnerability is an unauthenticated stack-based buffer overflow, which could allow attackers to execute remote code and compromise victim networks.: Specific details are not provided but pose a similar critical risk.

Ivanti has worked with Mandiant and other partners to address the vulnerabilities, releasing patches and mitigation guidance. Immediate action is required to secure systems, as ongoing analysis reveals sophisticated exploitation methods, multiple malware families, and advanced anti-forensic techniques.

Affected Systems and/or Applications

Technical Details

Critical Vulnerability CVE-2025-0282 – Exploitation Methodology

1.

• Attackers identify appliance versions via HTTP requests to version-specific files such as:
  • /dana-cached/hc/hc_launcher.22.7.2.2615.jar
  • /dana-cached/hc/hc_launcher.22.7.2.3431.jar
• Sequential HTTP requests from VPS providers or Tor networks targeting these files suggest pre-exploitation activity.

2.

• Key steps include:
  1. Disabling SELinux.
  2. Preventing syslog forwarding using iptables.
  3. Remounting the filesystem as read-write.
  4. Deploying web shells or malware.
  5. Sanitizing logs to erase traces of exploitation.
• Example Commands:

3.

• Attackers deploy, a dropper modifying ICS components, inserting Perl-based web shells(getComponent.cgi, restAuth.cgi) to enable remote access and command execution.

Critical Vulnerability CVE-2025-0282 – Malware Families Observed

1.

• :
  • Inserts web shells (AccessAllow()) for RCE.
  • Blocks legitimate system upgrades.
  • Tampering with DSUpgrade.pm to simulate fake upgrade progress.
• : Recalculates file hashes to evade Ivanti’s Integrity Checker Tool (ICT).

2.

• Components:
  • : Tunneler for malicious traffic.
  • : SSH backdoor.
  • : Log tampering utility.
• : Persist across upgrades by injecting into legitimate binaries like dspkginstall.

3.

• : Credential harvesting by modifying DSAuth.pm.
• : Captures credentials during authentication, encrypts them, and stores them in /tmp/cmdmmap.kuwMW.

4. :

• :and  remain unlinked to known actors but exhibit advanced evasion and

Indicators of Compromise

1. Files and Processes
   • Modified Files:
     • DSUpgrade.pm getComponent.cgi and
     • restAuth.cgi
     • /tmp/.t, /tmp/svb, /tmp/s

1. • Web Shells:
     • Base64-encoded payloads written to /tmp/test.p.
2. Network Activity
   • Sequential requests to:
     • /dana-cached/hc_launcher.*.jar.
   • Outbound connections:
     • From compromised appliances using
3. Logs and Artifacts
   • Evidence of anti-forensic actions, including:
     • Clearing kernel logs via dmesg.
     • Removing specific log entries related to exploitation.

Mitigation

Organizations utilizing   appliances must take immediate action to address critical vulnerabilities and safeguard their systems. Begin by leveraging the latest version of the   , which is compatible with Ivanti Connect Secure.

Please conduct thorough scans, and submit the results to us along with a case if the scan indicates any positive findings.

In instances of positive ICT scans, a threat hunting campaign will be initiated to detect signs of pre-reconnaissance activities that may indicate potential compromise. As part of this effort, we are actively analyzing log data for signs of unauthorized request parameters. To support this investigation, ensure that Ivanti’s “User Access Log” feature is enabled and configured to capture “Unauthenticated request” logs. User Access Log: What do “Unauthenticated request” logs mean ?

The latest version of the External Integrity Checker Tool (ICT-V22725) is compatible only with Ivanti Connect Secure (ICS) version 22.7R2.5 or higher

• : Upgrade to version 22.7R2.5 and conduct a factory reset on the appliance as a precautionary measure before deploying it in production. Consistently monitor both internal and external ICT scans in coordination with other security tools.

• : Perform a factory reset to eliminate potential malware and reconfigure the appliance using version 22.7R2.5. Continue monitoring closely with ICT and complementary security solutions.

• : As this product is not meant to be exposed to the internet, the risk of exploitation is significantly minimized.

• : A fix is scheduled for release on January 21, 2025, via the standard download portal. Ensure timely patching once available.

• : Verify that the IPS appliance is properly configured following Ivanti guidelines and never expose it to the internet. No known instances of exploitation of these CVEs in Ivanti Policy Secure have been reported.

• : ZTA gateways in production are not vulnerable to exploitation. However, generated gateways that remain unconnected to a ZTA controller are at risk.

• : A fix is also planned for January 21, 2025. Update your ZTA gateways promptly after the patch is released.

• : No active exploitation of these CVEs in ZTA Gateways has been identified.

• Use ICT-V22725 only with ICS version 22.7R2.5 or later.

• Regularly monitor all appliances and ICT results, incorporating additional security tools for comprehensive oversight.

• Ensure timely updates and adherence to Ivanti’s best practices for configurations and security management.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

We are also starting hunting campaign based on unauth request param enabled in the log source.

References

• Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud Blog
• Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)
• User Access Log: What do “Unauthenticated request” logs mean ?

‍