CISA Mitigation Instructions for CVE-2025-0282
(Updated March 28, 2025) CISA updated these mitigations based on identification of a new malware variant called RESURGE that could undermine the effectiveness of the mitigations previously provided. For more information on RESURGE, see MAR-25993211.R1.V1.CLEAR and CISA Releases Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure.
This page contains the mitigation instructions that correspond to the CISA KEV catalog entry CVE-2025-0282 – Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability.
For all instances of Ivanti Connect Secure, Policy Secure, and ZTA Gateways:
- Conduct threat hunting actions:
- Run an external Integrity Checker Tool (ICT). For more guidance, see Ivanti’s instructions.
- Conduct threat hunt actions on any systems connected to—or recently connected to—the affected Ivanti device.
- If threat hunting actions determine no compromise:
- For the highest level of confidence, conduct a factory reset.
- For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
- Apply the patch described in Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283).
- Monitor the authentication or identity management services that could be exposed.
- Continue to audit privilege level access accounts.
- For the highest level of confidence, conduct a factory reset.
- If threat hunting actions determine compromise:
- Report to CISA and Ivanti immediately to start forensic investigation and incident response activities.
- Disconnect instances of affected Ivanti Connect Secure products.
- For the highest level of confidence, conduct a factory reset.
- For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
- Isolate the systems from any enterprise resources to the greatest degree possible.
- Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following:
- Reset the admin enable password.
- Reset stored application programming interface (API) keys.
- Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).
- If domain accounts associated with the affected products have been compromised:
- Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments.
- For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.
- After fully investigating and conducting a factory reset any affected products, agencies may restore such systems to service.