Five Latest Updates On The 2025 Ivanti VPN Attacks
A domain registry provider is the first company to acknowledge a compromise related to the cyberattacks, which have exploited a critical vulnerability in Ivanti Connect Secure.
Ivanti has released a new version of its scanning tool to assist with the response to attacks exploiting a critical VPN vulnerability, while the first organization so far has disclosed falling victim to the attacks.
Attacks exploiting the critical-severity vulnerability in Ivanti’s Connect Secure VPN may be connected to a China-based espionage group, researchers at Mandiant said last week.
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
The critical Connect Secure vulnerability (tracked at CVE-2025-0282) and a high-severity vulnerability in the appliances (tracked at CVE-2025-0283)—which has not seen exploitation so far—were disclosed Jan. 8 by Ivanti.
The critical vulnerability can be exploited in order to remotely execute code without authentication, while the high-severity flaw can be used to escalate privileges, Ivanti has said.
Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.
What follows are the five latest things to know about the Ivanti VPN attacks.
Customer Confirms Incident
The first organization to acknowledge being impacted in the Connect Secure attacks is Nominet, a U.K.-based domain registry provider.
In a Jan. 8 email to customers, provided by Nominet to CRN, the company said that it was investigating an “ongoing security incident” caused by the exploitation of a zero-day Ivanti vulnerability.
“The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely,” Nominet said in the email to customers. “However, we currently have no evidence of data breach or leakage.”
In a statement provided to CRN Monday, Ivanti said that it is “working closely with Nominet and the relevant authorities to provide all necessary support.”
The company’s advisory, which was updated as of Monday, indicates that a “limited number of customers’ Ivanti Connect Secure appliances” have been impacted in the attacks exploiting the critical vulnerability.
New Scanning Tool Released
On Friday, Ivanti released a new version of its external scanner, the Integrity Checker Tool (ICT), to address a previous issue with it.
The new tool, version ICT-V22725 (build 3819), resolves the shortcoming that the previous tool “only worked on the most recent [software] version,” Ivanti said in an update to its security advisory Friday.
Ivanti has said that customers should perform a scan with the tool and then can upgrade to Ivanti Connect Secure 22.7R2.5 if they receive a “clean internal and external ICT scan.”
For customers that perform a test that “shows signs of compromise,” they should factory reset the VPN device before putting the appliance back online with version 22.7R2.5, the company said.
Fixes For Policy Secure, ZTA Gateways Planned
While the patches for Connect Secure are available, software fixes for other products impacted by the vulnerabilities are in the works, according to Ivanti.
Patches addressing the two vulnerabilities in Ivanti Policy Secure and Ivanti Neurons for ZTA gateways are planned for Jan. 21, the company said in its advisory.
Notably, however, Policy Secure “is not intended to be internet-facing, which makes the risk of exploitation significantly lower,” Ivanti said.
As for Ivanti Neurons for ZTA, the gateways “cannot be exploited when in production,” the company said.
Ivanti said it’s not aware that either product has seen exploitation so far in connection with the two recently disclosed vulnerabilities.
Attacks Began In December
Exploitation of the critical vulnerability in Ivanti Connect Secure began at least as far back as December, researchers at Mandiant wrote in a post Jan. 9.
Mandiant, a Google Cloud-owned cybersecurity specialist, has been working with victims impacted by the exploitation of the high-severity vulnerability, the researchers said.
“Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024,” the researchers said. “Mandiant is currently performing analysis of multiple compromised Ivanti Connect Secure appliances from multiple organizations.”
After initially identifying the vulnerabilities, Ivanti said that it “rapidly developed and released a patch within weeks for Ivanti Connect Secure, the only product where limited exploitation has been observed.”
“We strongly urge all customers to follow the guidance outlined in our security advisory to ensure their systems are protected,” the company said in its statement Monday.
China Links Pinpointed
Malware used during the attacks shows possible links to a China-based threat actor, the Mandiant researchers disclosed.
According to Mandiant, at least one compromised appliance that has been examined has been infected by a malware family known as “SPAWN”—which has been exclusively connected to a China-based threat actor, tracked as UNC5337, in the past.
And notably, UNC5337 may be a part of the same espionage-focused hacking operation held responsible for the widespread Ivanti Connect Secure compromises in early 2024, the researchers said.
That group, tracked as UNC5221, is believed to have compromised thousands of Ivanti VPN devices during the wave of attacks a year ago, with the list of victims including the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Mandiant “suspects with medium confidence that UNC5337 is part of UNC5221,” the researchers said in the post.