The number of internet-facing Ivanti Connect Secure instances vulnerable to attack via CVE-2025-0282 has decreased significantly over the past four days, dropping from 2,048 to 800, as reported by the Shadowserver Foundation today. This decline in vulnerable instances indicates that organizations are actively working to address and patch the security issue to prevent potential exploitation.
Meanwhile, the UK domain registry Nominet has found itself as the first publicly known victim of attackers exploiting the recently patched Ivanti zero-day vulnerability. Nominet reported suspicious activity on their network in early January 2025, which led to the discovery of unauthorized access through a zero-day vulnerability in Ivanti’s VPN software. Despite this intrusion, Nominet has not found any evidence of data breaches or unauthorized access within their network. The registry has taken swift action by implementing patches provided by Ivanti and enhancing security measures to prevent future attacks.
The CVE-2025-0282 zero-day vulnerability, a stack-based buffer overflow flaw, allowed unauthenticated attackers to breach VPN appliances utilized by several organizations. These attackers could then install various types of malware, manipulate the appliances, conduct network reconnaissance, and move laterally within the network. Security researchers have linked these attacks to Chinese threat actors who have a history of exploiting Ivanti Connect Secure vulnerabilities.
Mandiant researchers have provided guidance on mitigating the risk of exploitation, investigating potential compromises, and remediating any positive findings related to this vulnerability. Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have also issued advisories on addressing the CVE-2025-0282 vulnerability to prevent further attacks and protect organizations from potential breaches.
In response to the security incident, Watchtowr Labs researchers have conducted an in-depth analysis of the CVE-2025-0282 vulnerability, publishing a detailed technical report on the exploitation techniques involved. They have refrained from releasing their proof-of-concept exploit until January 16, allowing organizations time to patch their systems and secure their networks. Ivanti is actively working on patches for Policy Secure and ZTA gateways to address any vulnerabilities present in those solutions. While these patches are still in development, Ivanti has confirmed that these solutions are not currently targeted by attackers due to their unique security measures.
Overall, the decrease in the number of vulnerable Ivanti Connect Secure instances and the proactive response from organizations like Nominet demonstrate the importance of timely security measures in protecting against cyber threats. By addressing vulnerabilities promptly and implementing robust security protocols, organizations can safeguard their networks and data from malicious actors seeking to exploit weaknesses in their systems.