A significant number of Ivanti VPNs are still exposed to attacks exploiting a recent vulnerability, and the UK domain registry Nominet has emerged as a victim of exploitation.
Ivanti recently released patches for its Connect Secure VPN appliances to address CVE-2025-0282, a critical zero-day that allows remote, unauthenticated attackers to execute arbitrary code.
When it announced fixes, Ivanti warned that CVE-2025-0282 had been exploited in the wild against a limited number of customers, and Mandiant, which assisted the company’s investigation, discovered evidence suggesting that Chinese cyberspies were behind the attacks.
However, Mandiant, which has seen attacks since mid-December 2024, noted that it’s possible the vulnerability has been exploited by more than one threat group.
While it had been unclear who was targeted in the attacks, one victim appears to be Nominet, which is the official registry for .uk domain names.
In notifications sent to customers last week — a copy of which was obtained by ISPreview — Nominet said it became aware of suspicious activity on its network in the first days of January.
An investigation showed that the attackers’ entry point was an Ivanti VPN used by its staff to remotely access systems. The attacks involved exploitation of a zero-day vulnerability, Nominet pointed out.
“However, we currently have no evidence of data breach or leakage,” Nominet told customers, adding, “As you will recognise, these incidents are always fast-moving and require investigation – but we have NOT uncovered any backdoors or routes onto our network.”
It’s unclear what the attackers were after, but the timeline indicates that the vulnerability was exploited against Nominet before Ivanti announced the availability of patches, which means the UK domain registry may have been targeted in the initial zero-day attacks.
At around the time of Nominet’s notification to customers, the UK government urged organizations to take immediate action to address the exploited Ivanti vulnerability.
The Shadowserver Foundation reported on Monday that it had seen roughly 800 internet-exposed Ivanti Connect Secure systems that appeared to be impacted by CVE-2025-0282. The number dropped from approximately 2,000 instances seen on January 9.
Attack surface management firm Censys, however, on Monday reported seeing over 12,000 potentially vulnerable Connect Secure instances exposed to the web.
UPDATE: In a statement sent to SecurityWeek, an Ivanti spokesperson said:
“Upon identifying the vulnerabilities through our Integrity Checker Tool (ICT), Ivanti rapidly developed and released a patch within weeks for Ivanti Connect Secure, the only product where limited exploitation has been observed. Consistent with our commitment to supporting customers, we are working closely with Nominet and the relevant authorities to provide all necessary support. We strongly urge all customers to follow the guidance outlined in our security advisory to ensure their systems are protected.
We appreciate the trust our customers place in us. We are committed to their security and to continuously improving our products and processes, in collaboration with the broader security ecosystem.”
Related: GFI KerioControl Firewall Vulnerability Exploited in the Wild
Related: CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks
Related: Palo Alto Networks Patches Firewall Zero-Day Exploited for DoS Attacks
