Ivanti has announced crucial security updates for its Connect Secure, Policy Secure, and ZTA Gateways aimed at addressing newly identified vulnerabilities. The updates focus on specific vulnerabilities labeled CVE-2025-0282 and CVE-2025-0283, which could be exploited by cyber threat actors. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the urgency of these updates, noting that CVE-2025-0282 has been added to its Known Exploited Vulnerabilities Catalog following evidence of active exploitation. "A cyber threat actor could exploit CVE-2025-0282 to take control of an affected system," an official statement emphasized.
"A cyber threat actor could exploit CVE-2025-0282 to take control of an affected system,"
The need for these updates was underscored by the emergence of a new malware variant known as RESURGE. CISA has since updated its guidance, adapting measures to ensure that organizations can effectively manage and mitigate the risks posed by this variant. In one of their communications, CISA stated, "This is a significant risk that organizations need to address immediately to protect their systems."
As a proactive measure, organizations are urged by CISA to engage in extensive threat hunting activities. "Conduct threat hunting actions on any systems connected to—or recently connected to—the affected Ivanti device," CISA recommended. This involves running an external Integrity Checker Tool (ICT) and following Ivanti’s specific instructions to ensure thorough examination and remediation of potential vulnerabilities.
"Conduct threat hunting actions on any systems connected to—or recently connected to—the affected Ivanti device,"
Race Results
In the event that threat hunting yields conclusive results indicating no compromise, a factory reset is suggested. For Cloud and Virtual systems, the protocol recommends using an external known clean image of the device. This step aims to restore systems to a secure state, minimizing residual threats.
Conversely, if compromise is detected, organizations are instructed to follow a strict protocol that includes conducting a factory reset and revoking any exposed credentials, keys, and passwords. "For the highest level of confidence, conduct a factory reset," CISA reiterated in their advisory. They also stressed the importance of resetting local user passwords, API keys, and administrative enable passwords to safeguard sensitive data.
"For the highest level of confidence, conduct a factory reset,"
Organizations utilizing cloud or hybrid setups have been specifically cautioned to disable affected devices in the cloud to invalidate device tokens. CISA advises, "Reset passwords twice for on-premise accounts and revoke Kerberos tickets in conjunction with cloud token management for maximum security."
In addition to these precautions, CISA requests that organizations report any incidents or unusual activities to its Operations Center. They provide contact information and request specific details about the incident to ensure swift and effective response actions. "Organizations should report incidents and anomalous activity directly to CISA," they stated, highlighting the collaborative effort necessary to tackle cybersecurity challenges.
"Organizations should report incidents and anomalous activity directly to CISA,"
With rapidly evolving threats in the cybersecurity landscape, these updates from Ivanti and the guidelines from CISA serve as a critical framework for organizations to enhance their defenses. The updates not only address known vulnerabilities but also lay the groundwork for safeguarding against emerging threats. CISA's emphasis on immediate action reflects the urgency inherent in today’s digital world, where cyberattacks pose significant risks to businesses and individuals alike. By implementing these recommendations, organizations can bolster their security posture in the face of increasingly sophisticated cyber threats.