U.S. software company Ivanti has disclosed a critical zero-day vulnerability affecting its widely used Connect Secure VPN appliance. The flaw, tracked as CVE-2025-0282, enables unauthenticated attackers to remotely deploy malicious code, potentially granting them access to sensitive corporate networks.
An Urgent Threat
Ivanti, whose Connect Secure solution is a staple across industries for secure remote access, issued a warning on Wednesday following reports of malicious activity detected by its Integrity Checker Tool (ICT). The company confirmed that threat actors were actively exploiting the vulnerability, with a "limited number of customers" already impacted. While a patch for Connect Secure is available, fixes for other affected products — Policy Secure and ZTA Gateways — are not expected until January 21, leaving users exposed.
The company also revealed the discovery of a second vulnerability, CVE-2025-0283, which has yet to be exploited but remains under scrutiny.
Expert Reactions and Warnings
Cybersecurity experts are raising red flags about the implications of the exploit. Martin Jartelius, CISO at Outpost24, emphasized the critical need for immediate action, drawing parallels to past incidents:
“Last time we had an Ivanti zero-day exploitation, the attackers shifted to their active/destructive phase as the patch became available. So, anyone impacted should firstly patch at once, and secondly review their readiness in incident response and keep extra eyes on their monitoring for the near future. Many still remember the Akira breach against Tietoevry in Sweden and its cascading impact on organizations and government agencies as the impacted organization was a service provider."
Benjamin Harris, CEO of watchTowr, echoed these concerns, emphasizing the high stakes involved:
“The watchTowr Labs team is rapidly analyzing CVE-2025-0282, the currently in-the-wild exploited Ivanti Connect Secure zero-day, and we will share those findings shortly. Our concern is significant as this has all the hallmarks of APT usage of a zero-day against a mission-critical appliance.”
Harris also criticized the delayed patch timeline for Policy Secure and ZTA Gateways, urging affected organizations to act decisively:
“Users of these products should not hesitate—these appliances should be pulled offline until patches are available. Throw your vulnerability SLAs into the proverbial wind in situations like this. The difference between a rapid response, and a response in hours, could be the difference between your organization calling your cyber insurer or not.”
A History of Security Challenges
This isn’t the first time Ivanti’s products have been targeted by cybercriminals. In 2024, the company faced significant criticism after multiple vulnerabilities were exploited to launch widespread cyberattacks. The latest breach highlights ongoing challenges in securing mission-critical systems, especially those managed by third-party vendors.
What’s Next for Organizations?
With over 15,000 organizations relying on Ivanti Connect Secure, the stakes are high. Security professionals are urging immediate action, including:
Patch Deployment: Ivanti Connect Secure users must install the available update immediately.
Incident Response Readiness: Organizations should bolster monitoring and response capabilities to detect potential breaches swiftly.
Mitigating Delays: Users of Policy Secure and ZTA Gateways are advised to isolate affected systems until patches are released.
As Advanced Persistent Threat (APT) actors are suspected of leveraging the zero-day exploit, the situation underscores the need for a proactive, no-compromise approach to vulnerability management. Ivanti’s ability to navigate this crisis and rebuild trust will depend on its capacity to deliver robust patches and communicate effectively with its users in the weeks to come.