The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive ED-25-02, titled 'Mitigate Ivanti Connect Secure and Policy Secure Product Vulnerabilities,' requiring all Federal Civilian Executive Branch (FCEB) agencies to take immediate action on critical vulnerabilities in Ivanti's remote access products.
The Vulnerabilities
The directive addresses two vulnerabilities disclosed in early January 2025:
CVE-2025-0282 is confirmed under active exploitation by multiple threat actors, including a Chinese nation-state group tracked as UNC5221 by Mandiant.
Federal Mandates
Under ED-25-02, FCEB agencies must within 48 hours:
1. Run Ivanti's Integrity Checker Tool (ICT) on all affected appliances
2. Immediately disconnect any appliance showing signs of compromise
3. For uncompromised appliances: apply Ivanti's patch (version 22.7R2.5) immediately
For disconnected appliances, agencies must complete a full factory reset, rebuild from a known-clean image, and rotate all credentials before reconnecting.
Exploitation in the Wild
Mandiant has observed UNC5221 deploying two novel malware families—DRYHOOK and PHASEJAM—on compromised Ivanti appliances. DRYHOOK harvests credentials by intercepting authentication events, while PHASEJAM establishes persistent web shell access even through factory resets.
Broader Impact
Security firm Censys identified over 22,000 internet-exposed Ivanti Connect Secure instances globally, with approximately 3,600 in the United States. CISA urges all organizations to treat this with maximum urgency.
CISA Director Statement
"This is not a situation where agencies can wait for a convenient maintenance window," CISA Director Jen Easterly stated. "We are seeing active, ongoing exploitation by sophisticated threat actors. Disconnect first, then patch."