CVE-2025-0283 was disclosed alongside CVE-2025-0282 and described by NVD as a stack-based buffer overflow leading to local privilege escalation.
- Vendor advisory: Ivanti security update for CVE-2025-0282 / CVE-2025-0283
- NVD: NVD
CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities (KEV) catalogue on 8 January 2025 and later published dedicated mitigation instructions.
- CISA KEV alert for CVE-2025-0282
- CISA mitigation instructions for CVE-2025-0282
Observed behaviours (from Mandiant’s published findings) map to ATT&CK techniques including:
- Initial access via public-facing application: T1190
- Command and scripting on appliance: T1059
- Web shell capability embedded into legitimate CGI components: T1505.003
- Defence evasion via log tampering: T1070.002
- Impair defences (e.g., blocking syslog forwarding / disabling SELinux): T1562.001
- Modify authentication process (where attackers alter auth-related components such as restAuth.cgi): T1556
- Persistence via modification of upgrade mechanisms / system components: T1543 (and related “modify system process” patterns)
Vendor & Government Advisories
- Ivanti security update for CVE-2025-0282 / CVE-2025-0283
- CISA KEV alert: CVE-2025-0282
- CISA mitigation instructions: CVE-2025-0282
- NHS England cyber alert CC-4602
Threat Intelligence & Technical Deep Dives
- Mandiant: Ivanti Connect Secure targeted in CVE-2025-0282 exploitation
- Unit 42 threat brief: CVE-2025-0282 / CVE-2025-0283
- FortiGuard IPS encyclopaedia: CVE-2025-0282 detection
Incident Reporting (Nominet)
- ISPreview: Nominet suffers cyber attack (Ivanti zero-day linkage)
- The Register: Nominet investigates intrusion linked to Ivanti zero-day
- BleepingComputer: Nominet confirms breach via Ivanti zero-day