Hackers are actively targeting deployments of some Ivanti Inc. software products using a newly discovered security vulnerability.

The company disclosed the exploit, which is tracked as CVE-2025-0282, on Wednesday.

Ivanti is a major provider of infrastructure management and cybersecurity software with more than 40,000 customers. According to the company, those customers include several U.S. government agencies. CVE-2025-0283 affects three Ivanti products: Secure Connect, Neurons for ZTA Gateways and Policy Secure. 

Secure Connect is a virtual private network, or VPN, tool for enterprise. It enables workers to remotely log into their company’s systems via an encrypted connection. Ivanti says that Connect Secure is one of the most widely-used products in its category.

Neurons for ZTA, the second tool affected by the vulnerability, is likewise designed to let workers securely log into business applications. It can be used together with Secure Connect. The third affected product, Policy Secure, enables administrators to centrally manage workers’ access to the corporate network. 

Hackers began exploiting the vulnerability in mid-December, Google LLC’s Mandiant cybersecurity unit detailed in a blog post. Its researchers analyzed several of the Secure Connect appliances that the hackers had breached. On one of the appliances, they discovered a malware strand associated with a China-linked hacking group tracked as UNC5337.

“Mandiant suspects with medium confidence that UNC5337 is part of UNC5221,” the Google unit’s researchers wrote. “UNC5221 is a suspected China-nexus espionage actor that exploited vulnerabilities CVE-2023-46805 and CVE-2024-21887, which impacted Ivanti Connect Secure VPN and Ivanti Policy Security appliances as early as December 2023.”

The new vulnerability detailed this week has received a severity score of 9 out of the maximum possible 10. It bypasses the affected Ivanti products’ authentication mechanism, which means hackers don’t have to obtain login credentials to gain access. This makes it significantly easier to launch cyberattacks.

According to Ivanti, CVE-2025-0282 is a so-called stack overflow vulnerability. Such exploits enable hackers to write more data to a section of a system’s memory than it’s meant to hold. This causes the data to overflow to adjacent memory sections, overwriting their contents with malicious code. 

Mandiant’s researchers determined that cyberattacks targeting CVE-2025-0282 generally unfold in phases. 

First, hackers log into a vulnerable Ivanti Connect appliance and disable the underlying Linux server’s SELinux feature. This is a component of the Linux kernel that prevents programs from accessing sensitive operating system features and data. After disabling SELinux, the malware blocks a second Linux component that sends data about system activity to administrators.

After the initial phase of the cyberattack, the hackers install malicious code on the targeted appliance. They then delete the system logs created as part of the process and turn SELinux back on.

Ivanti has released a patch for Connect Secure to fix CVE-2025-0282 and CVE-2025-0283, a second vulnerability disclosed in conjunction. Few technical details are available about the latter flaw. The company plans to patch Neurons for ZTA Gateways and Policy Secure on Jan. 21.

The discovery of the vulnerabilities comes less than a year after researchers uncovered a different set of zero-day exploits in Connect Secure and Policy Secure. It’s estimated that hackers used those flaws to breach more than 2,000 customer deployments. 

Image: Ivanti