Explainers & Guides
Top 3 things you should know about securing your supply chain
Ivanti have disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283 affecting Ivanti Connect Secure, Policy Secure and ZTA Gateways. CVE-2025-0282 has a CVSS base score of 9.0 (Critical).
Active exploitation of CVE-2025-0282, affecting Connect Secure VPN devices, have been observed. A patch has been released to mitigate this vulnerability.
On January 8, 2025, Ivanti released a security advisory disclosing two vulnerabilities affecting several devices: Ivanti Connect Secure, Policy Secure and ZTA Gateways. The criticality of this advisory was further reinforced with additional public advisories from the UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and a detailed, technical analysis by Mandiant.
Both vulnerabilities are stack-based buffer overflows that allow for remote code execution by unauthenticated attackers (CVE-2025-0282) and local privilege escalation (CVE-2025-0283) on these Ivanti appliances.
Ivanti is aware of active exploitation of Connect Secure VPN devices through CVE-2025-0282. According to Mandiant, they have observed exploitation of this CVE since mid-December 2024 with a variety of secondary malware deployed. Successful exploitation may enable an attacker to gain access to an organisation’s enterprise network.
Organisations using Ivanti Connect Secure, Policy Secure or ZTA Gateways are affected.
Specifically, These vulnerabilities affect all versions of:
While the full impact of this vulnerability is still unknown, given the widespread attention and response triggered by previous Ivanti and other providers’ VPN vulnerabilities—including multiple government advisories—we assess a potential for a significant impact.
Given their critical role in enabling secure remote access to an organisation’s resources, VPNs are extensively used by both clients and suppliers, making them a high-value target for malicious actors.
It is important to assess the potential impact of these vulnerabilities—whether through your organisation’s Ivanti VPN deployments or Ivanti VPNs used by your suppliers. The successful exploitation of a supplier’s VPN could lead to significant disruptions to critical services, create an entry point for attackers into your own network, or even result in the exposure or loss of sensitive data that your suppliers manage on your behalf.
If your organisation uses the vulnerable Ivanti products listed above, follow the actions outlined in the NCSC Advisory:
Evaluate the potential scope of disruption by assessing which of your suppliers may be affected by this vulnerability. Suppliers will be asked to respond to an Emerging Threat action within the Risk Ledger platform, allowing you to gain visibility into their assessment of exposure to this threat and any treatment they are applying.
Note: Risk Ledger’s search function https://app.riskledger.com/c/answer-search (Beta) - enables authenticated Risk Ledger clients to search their supplier’s answer notes for key phrases e.g. ‘Ivanti’.
This is an ongoing situation and information will likely be continually updated. The Ivanti advisory contains their latest information and links to tools and patches to aid in investigation and mitigation:
Official Ivanti Security Advisory (CVE-2025-0282, CVE-2025-0283)
Mandiant has a detailed and technical analysis of the vulnerabilties and the tools used in exploitation. Additional context to historical exploits are also provided:
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Advisories from NCSC and CISA:
https://www.ncsc.gov.uk/news/active-exploitation-ivanti-vulnerability
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
