UK domain registry Nominet breached via Ivanti zero-day
The number of internet-facing Ivanti Connect Secure instances vulnerable to attack via CVE-2025-0282 has fallen from 2,048 to 800 in the last four days, the Shadowserver Foundation shared today.
In the meantime, UK domain registry Nominet became the first publicly known victim of attackers exploiting the recently patched Ivanti zero-day.
CVE-2025-0282 zero-day attacks
CVE-2025-0282 is a stack-based buffer overflow vulnerability that allowed unauthenticated attackers to breach VPN appliances used by a number of (still publicly unidentified) organizations and leverage that access to:
- Install known and unknown malware
- Covertly tamper with the appliances, prevent them from being updated and make them look like they’ve been
- Engage in network reconnaissance and lateral movement.
Madiant researchers have tied the attacks to Chinese threat actors who have previously exploited Ivanti Connect Secure zero-days and, along with Ivanti and CISA, advised on how to mitigate the risk of exploitation, investigate potential compromises, and remediate in case of a positive finding.
The vulnerability – at the time, a zero-day flaw – was first spotted being exploited in mid-December 2024. Mandiant was unable to discern whether one or more groups had been leveraging CVE-2025-0282 to breach organizations.
A customer notice and a vulnerability deep-dive
According to the customer notice Nominet sent out to customers late last week, they became aware of suspicious activity on their network the week before that (i.e., the first week of January 2025).
“The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely. The unauthorised intrusion into our network exploited a zero-day vulnerability,” the notice said, as reported by ISPreview.
The UK domain registry said that they are still investigating the intrusion, but so far they haven’t found evidence of a data breach or leakage, nor uncovered any backdoors or routes onto their network.
They also said that they have implemented the patches provided by Ivanti and have put additional safeguards in place.
In the meantime, Watchtowr Labs researchers have published a two-part technical deep-dive into CVE-2025-0282, but refrained from sharing their proof-of-concept (PoC) exploit until January 16.
Patches for Ivanti Policy Secure and ZTA gateways are still in the works, but Ivanti maintains that those solutions are not being targeted by attackers – likely because they are not intended to be internet facing (Ivanti Policy Secure) or cannot be exploited when in production (Ivanti Neurons for ZTA Gateways).