Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Many Ivanti VPNs Still Unpatched as UK Domain Registry Emerges as Victim of Exploitation

Many Ivanti VPNs are still exposed to attacks exploiting a recent vulnerability tracked as CVE-2025-0282 and Nominet has been named as a victim.

Ivanti vulnerability exploited

A significant number of Ivanti VPNs are still exposed to attacks exploiting a recent vulnerability, and the UK domain registry Nominet has emerged as a victim of exploitation. 

Ivanti recently released patches for its Connect Secure VPN appliances to address CVE-2025-0282, a critical zero-day that allows remote, unauthenticated attackers to execute arbitrary code.

When it announced fixes, Ivanti warned that CVE-2025-0282 had been exploited in the wild against a limited number of customers, and Mandiant, which assisted the company’s investigation, discovered evidence suggesting that Chinese cyberspies were behind the attacks.

However, Mandiant, which has seen attacks since mid-December 2024, noted that it’s possible the vulnerability has been exploited by more than one threat group. 

While it had been unclear who was targeted in the attacks, one victim appears to be Nominet, which is the official registry for .uk domain names. 

In notifications sent to customers last week — a copy of which was obtained by ISPreview — Nominet said it became aware of suspicious activity on its network in the first days of January. 

An investigation showed that the attackers’ entry point was an Ivanti VPN used by its staff to remotely access systems. The attacks involved exploitation of a zero-day vulnerability, Nominet pointed out. 

“However, we currently have no evidence of data breach or leakage,” Nominet told customers, adding, “As you will recognise, these incidents are always fast-moving and require investigation – but we have NOT uncovered any backdoors or routes onto our network.”

Advertisement. Scroll to continue reading.

It’s unclear what the attackers were after, but the timeline indicates that the vulnerability was exploited against Nominet before Ivanti announced the availability of patches, which means the UK domain registry may have been targeted in the initial zero-day attacks. 

At around the time of Nominet’s notification to customers, the UK government urged organizations to take immediate action to address the exploited Ivanti vulnerability.

The Shadowserver Foundation reported on Monday that it had seen roughly 800 internet-exposed Ivanti Connect Secure systems that appeared to be impacted by CVE-2025-0282. The number dropped from approximately 2,000 instances seen on January 9. 

Attack surface management firm Censys, however, on Monday reported seeing over 12,000 potentially vulnerable Connect Secure instances exposed to the web. 

UPDATE: In a statement sent to SecurityWeek, an Ivanti spokesperson said:

“Upon identifying the vulnerabilities through our Integrity Checker Tool (ICT), Ivanti rapidly developed and released a patch within weeks for Ivanti Connect Secure, the only product where limited exploitation has been observed. Consistent with our commitment to supporting customers, we are working closely with Nominet and the relevant authorities to provide all necessary support. We strongly urge all customers to follow the guidance outlined in our security advisory to ensure their systems are protected.

We appreciate the trust our customers place in us. We are committed to their security and to continuously improving our products and processes, in collaboration with the broader security ecosystem.”

Related: GFI KerioControl Firewall Vulnerability Exploited in the Wild

Related: CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks

Related: Palo Alto Networks Patches Firewall Zero-Day Exploited for DoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.