U.S. software giant Ivanti has issued a warning to its customers about a critical zero-day vulnerability in its widely-used enterprise VPN appliance, which has been exploited by hackers to compromise the networks of its corporate customers. The vulnerability, tracked as CVE-2025-0282, can be exploited without any authentication to remotely plant malicious code on Ivanti's Connect Secure, Policy Secure, and ZTA Gateways products.

Ivanti's Connect Secure remote-access VPN solution is reportedly the most widely adopted SSL VPN by organizations of every size, across every major industry. This is not the first time Ivanti's products have been targeted by hackers; last year, the company pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers.

The company became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances. In an advisory post published on Wednesday, Ivanti confirmed that threat actors were actively exploiting CVE-2025-0282 "as a zero-day," meaning the company had no time to fix the vulnerability before it was discovered and exploited.

Ivanti said a patch is currently available for Connect Secure, but patches for Policy Secure and ZTA Gateways – neither of which have confirmed exploitability – won't be released until January 21. The company also discovered a second vulnerability, tracked as CVE-2025-0283, which has not yet been exploited.

Incident response firm Mandiant, which discovered the vulnerability along with researchers at Microsoft, said in a blog post published late Wednesday that its researchers had observed hackers exploiting the Connect Secure zero-day as early as mid-December 2024. Mandiant suspects a China-linked cyberespionage group – tracked by its designations UNC5337 and UNC5221 – is behind the exploitation, although it cannot attribute it with certainty.

Ben Harris, CEO of security research firm watchTowr Labs, told TechCrunch that the company has seen "widespread impact" as a result of this latest Ivanti VPN flaw and has "been working with clients all day to make sure they're aware." Harris added that this vulnerability is of significant concern as the attacks have "all the hallmarks of [an advanced persistent threat] usage of a zero-day against a mission-critical appliance," and urged everyone to "please take this seriously."

The U.K.'s National Cyber Security Centre said in an advisory that it was "investigating cases of active exploitation affecting U.K. networks." U.S. cybersecurity agency CISA also added the vulnerability to its catalog of known-exploited vulnerabilities. Ivanti has not disclosed how many of its customers are affected by the hacks or who is behind the intrusions, despite requests for information from TechCrunch.

This latest vulnerability highlights the ongoing struggle of enterprise software companies to secure their products against sophisticated cyber threats. As the attack surface continues to expand, companies like Ivanti must prioritize security and transparency to protect their customers from the ever-evolving threat landscape.