U.S. software giant Ivanti has issued a warning about a newly discovered zero-day vulnerability in its widely used enterprise VPN appliance that has been exploited to breach the networks of its corporate customers.

On Wednesday, Ivanti disclosed that the vulnerability, known as CVE-2025-0282 and rated as critical, can be exploited without authentication to remotely inject malicious code into Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways products. Connect Secure, Ivanti’s remote-access VPN solution, is claimed to be the most popular SSL VPN used by organizations of all sizes and industries.

This is not the first time that Ivanti’s products have been targeted by security vulnerabilities. In the past year, the company vowed to improve its security procedures following attacks by hackers who took advantage of vulnerabilities in various products to carry out large-scale hacks against its clients.

The discovery of this latest vulnerability occurred after Ivanti’s Integrity Checker Tool (ICT) detected suspicious activity on certain customer appliances. In a recent advisory, Ivanti confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day, indicating that the company had no time to address the vulnerability before it was exploited. Ivanti stated that only a limited number of customers had been affected by the hack on their Connect Secure appliances.

A patch is already available for Connect Secure, while patches for Policy Secure and ZTA Gateways, which haven’t been confirmed to be exploitable, are scheduled for release on January 21. Additionally, Ivanti identified a second vulnerability, tracked as CVE-2025-0283, that has not been exploited.

Ivanti has not disclosed the number of affected customers or the entities responsible for the intrusions. Representatives from Ivanti did not respond to inquiries from TechCrunch at the time of publication.

Mandiant, an incident response firm that collaborated with Microsoft to uncover the vulnerability, announced that hackers had begun exploiting the Connect Secure zero-day as early as mid-December 2024. While the exploitation has not been attributed to a specific threat actor, Mandiant suspects a China-linked cyberespionage group known as UNC5337 and UNC5221 may be involved.

Security researcher Ben Harris from watchTowr Labs told TechCrunch via email that the impact of this Ivanti VPN flaw has been extensive, with clients requiring assistance to address the issue. Harris emphasized the seriousness of the vulnerability, noting the characteristics of advanced persistent threat attacks utilizing a zero-day flaw against a crucial appliance. He urged everyone to take the situation seriously.

The National Cyber Security Centre of the U.K. reported that it is investigating instances of active exploitation affecting U.K. networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also included the vulnerability on its list of known exploited vulnerabilities.