Hackers exploit a new security vulnerability in Ivanti's VPN to infiltrate corporate networks.

Ivanti, a well-known software company in the United States, has alerted about a zero-day vulnerability in its popular corporate VPN device, which has been exploited to compromise the networks of its corporate clients. This vulnerability, classified as CVE-2025-0282, can be exploited without authentication, allowing attackers to execute malicious code on its Connect Secure, Policy Secure, and ZTA Gateways products.

Connect Secure, Ivanti's remote access VPN solution, is presented as the most adopted among organizations of various sizes and sectors. This incident represents the latest in a series of security vulnerabilities that have affected Ivanti's products in recent years. In response to previous attacks that led to a series of massive cyber incidents, the company had promised a review of its security processes.

Ivanti detected the new vulnerability through its Ivanti Integrity Checker Tool (ICT), which identified malicious activity on some of its devices. In an official notice, the company confirmed that malicious actors were already exploiting this active vulnerability and that, unfortunately, it had been discovered before the company could implement a fix. So far, it has been reported that a limited number of Ivanti Connect Secure customers were affected.

The company has released a patch for Connect Secure, while updates for Policy Secure and ZTA Gateways, which have not been confirmed as exploitable, are scheduled for release on January 21. Additionally, a second vulnerability, named CVE-2025-0283, has been identified, which has not yet been exploited by attackers.

Although Ivanti has not provided information about the number of affected clients or the identity of those responsible for these attacks, the incident response firm Mandiant, which discovered the vulnerability along with researchers from Microsoft, noted that they have observed the exploitation of Connect Secure since mid-December 2024. Mandiant could not attribute the attack to a specific group, but a cyber espionage group linked to China is suspected.

Security experts, such as Ben Harris from watchTowr Labs, have highlighted the significant impact this vulnerability has had and have been working to inform their clients about it. Harris emphasized that the attacks exhibit characteristics of advanced exploitation of a critical vulnerability and urged those involved to take the warning seriously.

The UK's National Cyber Security Centre has also indicated that it is investigating cases of active exploitation affecting networks in the country. The U.S. cybersecurity agency, CISA, has included this vulnerability in its catalog of known exploited vulnerabilities.