Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure
Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024.
The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3.
“Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution,” Ivanti said in an advisory. “Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix.”
Also patched by the company is another high-severity flaw (CVE-2025-0283, CVSS score: 7.0) that allows a locally authenticated attacker to escalate their privileges. The vulnerabilities, addressed in version 22.7R2.5, impact the following versions –
- CVE-2025-0282 – Ivanti Connect Secure 22.7R2 through 22.7R2.4, Ivanti Policy Secure 22.7R1 through 22.7R1.2, and Ivanti Neurons for ZTA gateways 22.7R2 through 22.7R2.3
- CVE-2025-0283 – Ivanti Connect Secure 22.7R2.4 and prior, 9.1R18.9 and prior, Ivanti Policy Secure 22.7R1.2 and prior, and Ivanti Neurons for ZTA gateways 22.7R2.3 and prior
Ivanti has acknowledged that it’s aware of a “limited number of customers” whose Connect Secure appliances have been exploited due to CVE-2025-0282. There is currently no evidence that CVE-2025-0283 is being weaponized.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / Infosecurity magazine / Helpnet security
Link: https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html
Link: https://www.darkreading.com/vulnerabilities-threats/china-unc5337-critical-ivanti-rce-bug
Link: https://www.securityweek.com/ivanti-warns-of-new-zero-day-attacks-hitting-connect-secure-product/
Link: https://www.infosecurity-magazine.com/news/critical-ivanti-zeroday-exploited/
SonicWall urges admins to patch exploitable SSLVPN bug immediately
SonicWall is emailing customers urging them to upgrade their firewall’s SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that is “susceptible to actual exploitation.”
In an email sent to SonicWall customers and shared on Reddit, the firewall vendor says the patches are available as of yesterday, and all impacted customers should install them immediately to prevent exploitation.
“We have identified a high (CVE Score 8.2) firewall vulnerability that is susceptible to actual exploitation for customers with SSL VPN or SSH management enabled and that should be mitigated immediately by upgrading to the latest firmware, which will be web-posted tomorrow, Jan 7th, 2025,” warns a SonicWall email sent to customers.
Source: Bleeping computer / Securityweek / SonicWall security advisory
Link: https://www.securityweek.com/sonicwall-patches-authentication-bypass-vulnerabilities-in-firewalls/
Link: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
New Banshee Stealer Variant Bypasses Antivirus with Apple’s XProtect-Inspired Encryption
Cybersecurity researchers have uncovered a new, stealthier version of a macOS-focused information-stealing malware called Banshee Stealer.
“Once thought dormant after its source code leak in late 2024, this new iteration introduces advanced string encryption inspired by Apple’s XProtect,” Check Point Research said in a new analysis shared with The Hacker News. “This development allows it to bypass antivirus systems, posing a significant risk to over 100 million macOS users globally.”
The cybersecurity company said it detected the new version in late September 2024, with the malware distributed using phishing websites and fake GitHub repositories under the guise of popular software such as Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / Helpnet security
Link: https://thehackernews.com/2025/01/new-banshee-stealer-variant-bypasses.html
Link: https://www.darkreading.com/threat-intelligence/banshee-malware-steals-apple-encryption-macs
Link: https://www.securityweek.com/banshee-macos-malware-expands-target-list/
Google Project Zero Researcher Uncovers Zero-Click Exploit Targeting Samsung Devices
Cybersecurity researchers have detailed a now-patched security flaw impacting Monkey’s Audio (APE) decoder on Samsung smartphones that could lead to code execution.
The high-severity vulnerability, tracked as CVE-2024-49415 (CVSS score: 8.1), affects Samsung devices running Android versions 12, 13, and 14.
“Out-of-bounds write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code,” Samsung said in an advisory for the flaw released in December 2024 as part of its monthly security updates. “The patch adds proper input validation.”
Google Project Zero researcher Natalie Silvanovich, who discovered and reported the shortcoming, described it as requiring no user interaction to trigger (i.e., zero-click) and a “fun new attack surface” under specific conditions.
Particularly, this works if Google Messages is configured for rich communication services (RCS), the default configuration on Galaxy S23 and S24 phones, as the transcription service locally decodes incoming audio before a user interacts with the message for transcription purposes.
Source: The hacker news
Link: https://thehackernews.com/2025/01/google-project-zero-researcher-uncovers.html
The evolution and abuse of proxy networks
As long as we’ve had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region.
This is why technologies like VPNs and The Onion Router (TOR) become popular: They allow users to easily access content without exposing their IP address or location. These technologies are intended to protect users and information and have done a good job of doing so. However, adversaries have taken notice and are using proxy networks for malicious activities.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/the-evolution-and-abuse-of-proxy-networks/
Infostealers: An Overview
An infostealer is malicious software designed to infiltrate computer systems and extract valuable information from compromised devices. These malware programs operate covertly (not like some malware that perhaps gives pop-ups or noticeably hamper system performance) to collect sensitive data.
For a shorter description, an infostealer is malware that covertly steals secret information from a computer.
Source: Secjuice