A major cybersecurity incident has come to light, with more than 370 Ivanti Connect Secure (ICS) devices reportedly compromised through the exploitation of a zero-day vulnerability, CVE-2025-0282.
This alarming development, revealed by the shadowserver.org security analysts, highlights escalating risks tied to enterprise VPN solutions as attackers increasingly target VPN gateways to infiltrate corporate networks.
According to a notice shared by the Shadowserver Foundation on social media, 379 new backdoored Ivanti Connect Secure devices were identified on January 22, 2025.
We are sharing backdoored Ivanti Connect Secure devices that *may* have been compromised as part of a CVE-2025-0282 exploitation campaign (but also we believe may include older or other activity).
— The Shadowserver Foundation (@Shadowserver) January 23, 2025
379 new backdoored instances found on 2025-01-22: https://t.co/D8qUuPY5EF pic.twitter.com/tX6wmRt4a8
.png
)
These devices are believed to be part of an active exploitation campaign leveraging CVE-2025-0282, though Shadowserver has noted that some compromises may also be linked to previously known vulnerabilities or older attack activities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
This zero-day vulnerability underscores the importance of robust cybersecurity measures and timely patching in safeguarding critical enterprise infrastructure.
Ivanti Connect Secure, a widely used VPN solution, is pivotal for remote access in many organizations, making it a prime target for attackers seeking to compromise sensitive networks.
Details of Exploitation
CVE-2025-0282 is reported to be a critical vulnerability that enables attackers to bypass authentication and deploy malware or backdoors onto vulnerable devices.
Once these devices are compromised, malicious actors can use these footholds to move laterally within networks, exfiltrate data, or launch additional cyberattacks.
Shadowserver’s findings indicate that the latest wave of attacks may involve the pre-installation of persistent backdoors on Ivanti Connect Secure devices.
Such backdoors provide attackers with continuous access to victims’ systems, even after vulnerabilities are patched, enabling long-term exploitation.
The compromised devices were found across multiple regions, underlining the global scale of this growing cyber threat.
As VPN solutions are often used by enterprises, government agencies, and other critical organizations, the breach raises concerns about the potential exposure of sensitive data and systems.
Security experts are urging organizations to check their Ivanti devices for signs of unauthorized access or backdoor installations.
Ivanti has yet to release an official statement regarding the vulnerability. Security researchers strongly advise organizations using Ivanti Connect Secure to remain vigilant, monitor their devices for unusual activity, and apply any available updates or patches.
This incident is a stark reminder of the constantly evolving nature of the cybersecurity landscape.
Enterprises must adopt a proactive stance, employing threat detection tools, regular vulnerability assessments, and timely updates to ensure that critical systems remain secure against emerging threats.
“The facts as we know them remain consistent with our 8 January disclosure. We encourage focusing on verified facts to ensure accurate reporting.” Ivanti spokesperson told Cyber Security.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
 devices reportedly compromised.){kind=link}