Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-0282 |
Description: Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
Summary
Description
CISA analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access. One file—that CISA is calling RESURGE—has functionality similar to SPAWNCHIMERA in how it creates a Secure Shell (SSH) tunnel for command and control (C2). RESURGE also contains a series of commands that can modify files, manipulate integrity checks, and create a web shell that is copied to the running Ivanti boot disk. The second file is a variant of SPAWNSLOTH, that was contained within the RESURGE sample. The file tampers with the Ivanti device logs. The third file is a custom embedded binary that contains an open-source shell script and a subset of...
CVSS: CRITICAL (9.0)
March 28th, 2025 (18 days ago)
|
|
CVE-2025-0282 |
Description:
CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:
Create a web shell, manipulate integrity checks, and modify files.
Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.
Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.
RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.
For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.
For a downloadable copy of the SIGMA rule associated with this MAR, see: AR25-087A SIGMA YAML.
CISA urges users and administrators to implement the following actions in addition to the Mitigation Instructions for CVE-2025-0282:
For the highest level of confidence, conduct a factory reset.
For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
See Ivan...
CVSS: CRITICAL (9.0)
March 28th, 2025 (18 days ago)
|
|
CVE-2025-0282 |
Description: Check out recommendations from CISA and others on how to protect network edge devices. Plus, OWASP has published the 10 risks associated with non-human identities. In addition, find out why ransomware payments plunged in 2024. And a new U.K. non-profit will categorize cyber incidents’ severity. And much more!Dive into six things that are top of mind for the week ending Feb. 7.1 - New cyber guides unpack how to secure network edge devicesLooking for insights and best practices for preventing and mitigating cyberattacks against network edge devices, such as routers, VPN gateways, IoT devices, web servers and internet-facing operational technology (OT) systems? You might want to check out new guidance published by several cybersecurity agencies this week.“Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems,” reads a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).“These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise,” the statement adds. These are the new guides, jointly published by cyber agencies from various countries:Security Considerations for Edge Devices, led by the Canadian Centre for Cyber Security (CCCS), includes:A description of common threats to edge devices, such as misconfigurations and mismanagement; vulnerability exploitation; and denial of serv...
CVSS: CRITICAL (9.0)
February 7th, 2025 (2 months ago)
|
|
CVE-2025-0282 |
Description: Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways.
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.
According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers.
All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, t...
CVSS: CRITICAL (9.0) EPSS Score: 15.33%
January 22nd, 2025 (3 months ago)
|
|
CVE-2025-0282 |
Description: CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case.
The post Threat Brief: CVE-2025-0282 and CVE-2025-0283 appeared first on Unit 42.
CVSS: CRITICAL (9.0) EPSS Score: 15.33%
January 17th, 2025 (3 months ago)
|
|
CVE-2025-0282 |
Description: Critical Vulnerability CVE-2025-0282 in Ivanti Connect Secure Enables Remote Command Execution via Buffer Overflow
CVSS: CRITICAL (9.0) EPSS Score: 15.33%
January 14th, 2025 (3 months ago)
|
|
CVE-2025-0282 |
Description: As we saw in our previous blogpost, we fully analyzed Ivanti’s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282.Today, we’re going to walk through exploitation. Once again, however, stopping short of providing the world with a
CVSS: CRITICAL (9.0) EPSS Score: 15.33%
January 12th, 2025 (3 months ago)
|
|
CVE-2025-0282 |
Description: Did you have a good break? Have you had a chance to breathe? Wake up.It’s 2025, and the chaos continues.Haha, see what we did? We wrote the exact same thing in 2024 because 2024 was exactly the same.As an industry, we are on GroundHog day
CVSS: CRITICAL (9.0) EPSS Score: 15.33%
January 10th, 2025 (3 months ago)
|
|
CVE-2025-0282 |
Description: Two stack-based buffer overflow issues were disclosed in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA. CVE-2025-0282, the more severe of the two issues, has been exploited in the wild against Ivanti Connect Secure devices.
CVSS: CRITICAL (9.0) EPSS Score: 15.33%
January 9th, 2025 (3 months ago)
|
|
CVE-2025-0282 |
Description: Ivanti has disclosed a critical zero-day vulnerability (CVE-2025-0282) actively exploited in the wild, affecting Ivanti Connect Secure (ICS) VPN appliances. The flaw, a stack-based buffer overflow, allows unauthenticated remote code execution, potentially compromising entire network infrastructures. Ivanti has released a patch and strongly advises immediate updates to ICS version 22.7R2.5 or higher. The advisory also …
The post Hackers Exploiting Critical Ivanti VPN Code Execution Vulnerability appeared first on CyberInsider.
CVSS: CRITICAL (9.0) EPSS Score: 15.33%
January 9th, 2025 (3 months ago)
|