Connect Secure - RCE (CVE-2025-0282)

CVE-2025-0282 is a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways, allowing remote unauthenticated attackers to execute arbitrary code on affected systems. This flaw could be exploited to gain full control over the targeted devices, potentially leading to data breaches, system compromise, or further attacks within the network.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

CrowdSec network data shows that most actors exploiting CVE-2025-0282 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-0282 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-0282 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit this vulnerability by sending crafted POST requests to the /dana-na/auth/url_default/welcome.cgi endpoint, often containing large or unusual payloads designed to achieve remote code execution or upload web shells.