Hackers Are Exploiting a New Ivanti VPN Security Bug To Hack Into Company Networks (techcrunch.com) 12
U.S. software giant Ivanti has warned that a zero-day vulnerability in its widely-used enterprise VPN appliance has been exploited to compromise the networks of its corporate customers. From a report: Ivanti said on Wednesday that the critical-rated vulnerability, tracked as CVE-2025-0282, can be exploited without any authentication to remotely plant malicious code on Ivanti's Connect Secure, Policy Secure, and ZTA Gateways products. Ivanti says its Connect Secure remote-access VPN solution is "the most widely adopted SSL VPN by organizations of every size, across every major industry."
This is the latest exploited security vulnerability to target Ivanti's products in recent years. Last year, the technology maker pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers. The company said it became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.
This is the latest exploited security vulnerability to target Ivanti's products in recent years. Last year, the technology maker pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers. The company said it became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.
Correction (Score:4)
Last year, [Ivanti] pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers.
Last year, Ivanti lied to it's customers about securing their products.
In terms of scale and complexity (Score:5, Interesting)
In terms of scale and complexity of scale and complexity - TLS VPN gateways are not exactly the peak of enterprise IT product engineering.
Yet it seems like there is a RCE or authentication bypasses in one the majors at least once a year. It is hard to not go all tinfoil hat and think it is intentional..
Re: (Score:3)
TLS VPNs are the nasty evil of VPNs and they're quite complex because they offer 3 ways of remote access.
First, you can often go to them via a web browser and access files and remote access via the browser (u
Re: (Score:2)
So they basically converted a relatively simple task "provide firewall service with VPN access to authenticated clients" into a massive product with giant security surface area, and instead of extended security they got repeated pwnage. This is not exactly new: Witty.A worm ravaged through BlackICE firewall [schneier.com] 20 years ago. Number of RCEs in OpenBSD's pf in that time: zero.
"But OpenBSD's pf can't do shit, BlackICE/Cisco/Iventa has XYZ feature and corporate world really needs this!!!
Right ....
Re: (Score:3)
It is a corporate VPN solution it isn't even in the same general market space as any of the things you mentioned.
This is for connecting to your network remotely (Score:2)
This is a device you put on your network so you can establish a VPN connection to your network from elsewhere on the Internet. This allows you to access servers not exposed to the Internet directly, etc. These things are more important than ever with remote work (supposedly) being all the rage.
The services you listed are VPNs for obscuring your IP address when accessing services on the Internet. That isn't even close to the same thing.
You could at least list other products in the same space, e.g. Cisco A
Buffer overflows in 2025? (Score:2)
I thought code analysis had fixed all buffer overflows by now?
If you're companty still uses Ivanti VPN products (Score:1)
and are not in the process of moving away from them, you need to leave and find another job. Our organization has lost all trust in Ivanti after the shitshow last year with their VPN and other products as well. Ivanti is an example of what happens when the big fish gobbles up the little fish, and continues selling the same product without maintaining/updating the code.
Defense in depth.. (Score:3)
The company said it became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.
I am not going to say defense in depth is the wrong approach because it certainly isn't however this looks like another good example where someone put a lot of engineering and analysis into adding layers where if they'd spent half the energy doing basic block and tackle work - are all the authentication and authorization procedures/checks correct, are all the authA/Z assumptions reliable, code audits for fundamental problems (memory safety etc), made sure the SAST tools say everything is squeaky clean or have a solid understand of why the stuff they don't like is actually ok - they could avoid a lot of these major black eyes and deliver a more secure product.
Nobody wants to actually make sure anything is 'correct' these days they just want to bolt on some extra layers of telemetry and heuristics and paper over the stuff that should be reliable enough in the first place it does need to be watched.
Not surprised (Score:2)
When the product was Pulse Secure it was junk
Fortinet has unofficially given up (Score:2)
Fortinet went through all this a couple of years ago. They finally realized that there is a standard protocol for VPN. The recommendation is that you use their SAML gateway to get a temporary IPSEC secret, and then stick with the tried-and-trusted IPSEC protocol.
I wonder if other vendors will do the same.