Active Exploitation of Critical Zero-Day Vulnerability in Ivanti Connect Secure

Ivanti has released updates addressing a critical zero-day vulnerability (CVE-2025-0282) in the Ivanti Connect Secure product. This vulnerability is reportedly being actively exploited.

Successful exploitation of the vulnerability could allow an unauthenticated attacker to perform remote code execution (RCE) on vulnerable devices.

This vulnerability affects Ivanti Cloud Secure versions prior to 22.7R2.5.

On 28 March 2025, the Cybersecurity & Infrastructure Security Agency (CISA) has identified a new malware variant identified as RESURGE. RESURGE is associated with the exploitation of CVE-2025-0282. The malware can modify files, manipulate integrity checks, and create a web shell that is copied to Ivanti boot disk.

For a copy of the malware analysis report, see: https://www.cisa.gov/sites/default/files/2025-03/MAR-25993211.r1.v1.CLEAR_.pdf

For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.

For a downloadable copy of the SIGMA rule associated with this MAR, see: AR25-087A SIGMA YAML.

For a list of recommended mitigating actions by CISA, see: Mitigation Instructions for CVE-2025-0282

Users and administrators of affected product versions are advised to update to the latest versions immediately.

More information is available here:

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2025-0282

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-flaw-used-in-zero-day-attacks/