Ivanti is warning that hackers exploited a Join Safe distant code execution vulnerability tracked as CVE-2025-0282 in zero-day assaults to put in malware on home equipment.
The corporate says it turned conscious of the vulnerabilities after the Ivanti Integrity Checker Device (ICT) detected malicious exercise on clients’ home equipment. Ivanti launched an investigation and confirmed that menace actors have been actively exploiting CVE-2025-0282 as a zero-day.
CVE-2025-0282 is a important (9.0) stack-based buffer overflow bug in Ivanti Join Safe earlier than model 22.7R2.5, Ivanti Coverage Safe earlier than model 22.7R1.2, and Ivanti Neurons for ZTA gateways earlier than model 22.7R2.3 that permit a unauthenticated attacker to remotely execute code on units.
Whereas the flaw impacts all three merchandise, Ivanti says they’ve solely seen it exploited on Ivanti Join Safe home equipment.
“We’re conscious of a restricted variety of clients’ Ivanti Join Safe home equipment which have been exploited by CVE-2025-0282 on the time of disclosure,” reads an Ivanti weblog put up.
“We aren’t conscious of those CVEs being exploited in Ivanti Coverage Safe or Neurons for ZTA gateways.”
Ivanti has rushed out safety patches for Ivanti Join Safe, that are resolved in firmware model 22.7R2.5.
Nonetheless, patches for Ivanti Coverage Safe and Ivanti Neurons for ZTA Gateways won’t be prepared till January 21, in accordance with a safety bulletin printed as we speak.
Ivanti Coverage Safe: This resolution is just not supposed to be web dealing with, which makes the chance of exploitation considerably decrease. The repair for Ivanti Coverage Safe is deliberate for launch on January 21, 2025, and might be obtainable in the usual obtain portal. Prospects ought to at all times be sure that their IPS equipment is configured in accordance with Ivanti suggestions and never expose it to the web. We aren’t conscious of those CVEs being exploited in Ivanti Coverage Safe.
Ivanti Neurons for ZTA Gateways: The Ivanti Neurons ZTA gateways can’t be exploited when in manufacturing. If a gateway for this resolution is generated and left unconnected to a ZTA controller, then there’s a threat of exploitation on the generated gateway. The repair is deliberate for launch on January 21, 2025. We aren’t conscious of those CVEs being exploited in ZTA Gateways.
The corporate recommends all Ivanti Join Safe admins carry out inside and exterior ICT scans.
If the scans come up clear, Ivanti nonetheless recommends admins carry out a manufacturing unit reset earlier than upgrading to Ivanti Join Safe 22.7R2.5.
Nonetheless, if the scans present indicators of a compromise, Ivanti says a manufacturing unit reset ought to take away any put in malware. The equipment ought to then be put again into manufacturing utilizing model 22.7R2.5
As we speak’s safety updates additionally repair a second vulnerability tracked as CVE-2025-0283, which Ivanti says is just not at the moment being exploited or chained with CVE-2025-0282. This flaw permits an authenticated native attacker to escalate their privileges.
As Ivanti is working with Mandiant and the Microsoft Menace Intelligence Heart to analyze the assaults, we are going to possible see stories in regards to the detected malware shortly.
BleepingComputer contacted Ivanti with additional questions in regards to the assaults and can replace this story if we obtain a response.
In October, Ivanti launched safety updates to repair three Cloud Providers Equipment (CSA) zero-days that have been actively exploited in assaults.
