Researchers tracking a recently disclosed zero-day vulnerability in Ivanti Connect Secure say hundreds of instances may have been compromised through exploits of CVE-2025-0282. Shadowserver scans identified 379 new backdoored instances on Wednesday.
Ivanti did not say how many devices were compromised via CVE-2025-0282 exploits or remain unpatched. The company encourages focusing on verified facts to ensure accurate reporting.
Actively exploited vulnerabilities in Ivanti products are a recurring problem for the vendor’s customers. Multiple attack sprees during the last year targeted zero-day vulnerabilities in Ivanti Connect Secure, Ivanti Cloud Service Appliance and Ivanti Endpoint Manager. The Cybersecurity and Infrastructure Security Agency has added 12 Ivanti CVEs to its known exploited vulnerabilities catalog since Jan. 1, 2024.
It’s difficult to quantify the exact number of Ivanti Connect Secure instances compromised via the latest zero day affecting the VPN product. Some of the backdoors found by Shadowserver scans could be attributed to other malicious activity. Ivanti Connect Secure customers running versions affected by CVE-2025-0282 resolved the issue relatively fast compared to previous vulnerabilities in the same product.
Yet, the number of Ivanti Connect Secure devices running a version vulnerable to CVE-2025-0282 remains high. Excluding honeypots, Censys found 13,954 Ivanti Connect Secure devices exposed and unpatched. Censys detected nearly 33,000 Ivanti Connect Secure devices publicly exposed to the internet.
This is a serious situation. Exploitation has been going on for around two months, patching appears to be slow, and prominent organizations are being breached. Considering the repeated history of critical security flaws and global incidents tied to Ivanti devices, there’s increasingly little justification for using them from a security standpoint.
While Shadowserver’s findings aren’t definitive with respect to which vulnerabilities are responsible for the compromised instances it found this week, the number of backdoored Ivanti Connect Secure devices is likely even higher. Compromising a VPN appliance on the network edge not only gives an attacker a gateway into your network but often gives an attacker access to user credentials that helps the attacker to move deeper into the compromised network. As such, this is a very serious incident.
Ivanti and researchers tracking CVE-2025-0282 urge organizations to patch any versions of Ivanti Connect Secure affected by the vulnerability. The patched version successfully remediates the root cause of the vulnerability.
