Exploitation of New Ivanti VPN Zero-Day Linked to Chinese Cyberspies

Google Cloud’s Mandiant has linked the exploitation of a newly patched Ivanti VPN zero-day vulnerability to Chinese cyberspies.

Ivanti alerted customers on Wednesday that two vulnerabilities, tracked as CVE-2025-0282 and CVE-2025-0283, have been patched in its Connect Secure (ICS) VPN appliances.

CVE-2025-0282, a critical stack-based buffer overflow that allows unauthenticated remote attackers to execute arbitrary code, has been exploited in the wild against a limited number of customers, Ivanti warned, without sharing any details on these attacks, except to say that compromise was identified using the company’s Integrity Checker Tool (ICT) and commercial security monitoring tools.

However, Mandiant, which has been working with Ivanti on investigating the attacks, revealed that exploitation has been linked to Chinese threat actors. Mandiant started seeing exploitation of CVE-2025-0282 in mid-December 2024.

Mandiant said it’s currently unable to attribute the exploitation of CVE-2025-0282 to a specific threat actor. However, the company noticed ...