Hackers using Ivanti Connect Secure have found ways to conceal themselves, bypassing security measures

Hackers using Ivanti Connect Secure have found ways to conceal themselves, bypassing security measures

In a recent development, Ivanti Connect Secure has been found to be affected by several critical vulnerabilities, including heap-based buffer overflows and other flaws that could potentially allow unauthorized access or remote code execution.

The key vulnerabilities have been identified in the following Ivanti products and versions:

• Ivanti Connect Secure (ICS): Versions 22.7R2.7 and earlier
• Ivanti Policy Secure: Version 22.7R1.4 and earlier
• Ivanti ZTA Gateway: Version 22.8R2.2 and earlier
• Ivanti Neurons for Secure Access: Version 22.8R1.3 and earlier
• Ivanti Virtual Application Delivery Controller (vADC): Version 22.8R2 and earlier

The vulnerabilities include CVE-2025-5462 (heap buffer overflow) and related CVEs, such as CVE-2025-0282 and CVE-2025-0283. While no evidence of exploitation in the wild has been found so far, the critical nature of these vulnerabilities necessitates immediate action.

Recommended Actions

1. Apply the latest patches immediately by upgrading to:
2. Ivanti Connect Secure: Version 22.7R2.5 or later
3. Ivanti Policy Secure: Version 22.7R1.2 or later
4. Ivanti Neurons for ZTA Gateways: Version 22.7R2.3 or later (and corresponding fixed versions for other affected Ivanti products)
5. Run Ivanti's Integrity Checker Tool (ICT) before and after patching to detect any possible system compromise. Note that the tool requires a gateway restart.
6. Monitor systems continuously post-update for unusual activity to ensure no exploitation occurs.
7. Stay updated by following security advisories from Ivanti and governmental cybersecurity centers for any emerging threats or patches.

Mandiant researchers have identified a suspected espionage actor linked to the People's Republic of China that has utilized living off the land techniques and deployed novel malware. The malware shares some code overlap with UNC3886, a state-linked cyber espionage actor previously linked to attacks against VMware ESXi hosts.

Threat actors have been observed attempting to maintain persistence despite system upgrades, factory resets, and patch deployment. This indicates the need for constant vigilance and proactive measures to protect against potential cyberattacks.

Recently, Ivanti has released an enhanced external integrity checker tool, and both Ivanti and Mandiant researchers are urging organizations to run the new tool to confirm if they are still protected against additional intrusions.

It's essential to prioritise cybersecurity measures to safeguard your systems and data. By following the recommended actions, you can significantly reduce the risk of a cyberattack exploiting Ivanti Connect Secure and related gateways.

[1] Ivanti Security Advisory: [URL] [2] Mandiant Threat Intelligence Report: [URL] [3] US-CERT Alert: [URL] [4] UK National Cyber Security Centre Advisory: [URL]

1. The recent identification of critical vulnerabilities in Ivanti Connect Secure and related products highlights the importance of cybersecurity in the technology industry, particularly in light of the potential for malware exploitation and unauthorized access or remote code execution.
2. Given the critical nature of these vulnerabilities, it is imperative for organizations to apply the latest patches to affected Ivanti products immediately, as recommended in the recently released Ivanti Security Advisory.
3. In addition to patching, continuous monitoring, the use of proactive measures such as Ivanti's Integrity Checker Tool, and staying updated on potential threats from governmental cybersecurity centers can help protect against potential cybercrime and espionage, as suggested by both Ivanti and Mandiant researchers.

Read also: