Critical VPN vulnerabilities continue to impact businesses

A critical vulnerability in Ivanti's Connect Secure VPN has continued to impact customers and businesses, with UK domain giant, Nominet, confirming a cyberattack linked to the Ivanti hacks.

Nominet, which maintains .co.uk domains, warned customers of an "ongoing security incident" that was under investigation. CRN reported that Nominet believed "the entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely.” However, at this stage, no customer data has been leaked or breached.

Ivanti's Connect Secure is a remote access VPN designed for remote workers across organisations of any size. The best business VPNs do not feature exploitable vulnerabilities and Ivanti has released updates to attempt to tackle the issue, whilst restricting usage of its VPN.

How were Ivanti's vulnerabilities exploited?

Ivanti first warned its networks had been compromised on 8 January 2025. Two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, were detailed and labelled as "zero-day" vulnerabilities – making them a lot harder to combat.

The first vulnerability enabled hackers to remotely execute code without authentication and received a severity rating of 9.0/10.0. Ivanti added a "limited number" of customer appliances had been exploited. The second vulnerability had not seen exploitation and received a severity score of 7.0/10.0.

A patch was quickly available for Connect Secure, with customers advised to run a scan using Ivanti's Integrity Checker Tool (ICT) to see if they have been compromised. If they received a "clean internal and external ICT scan" message, then they could update their software.

Anyone who received a "shows signs of compromise" message was advised to factory reset the affected device before putting it back online with the new update. Ivanti recommends you backup the configuration of appliances before resetting and upgrading the device.

The company's Policy Secure and ZTA Gateways features were also impacted by the hack, but neither product had seen exploitation at the time of writing. Ivanti stated patches for these products were in the works and expected on 21 January 2025.

This is not the first time Ivanti have had vulnerabilities exploited, having suffered a string of attacks throughout 2023 and 2024.

Links to China

According to researchers at Mandiant, the attack may have links to a China-based threat actor and could possibly have started as early as December 2024.

Devices had been infected with malware from the "SPAWN" family, which has been linked to a China-based hacking group known as UNC5337. This group may also be part of the same operation that attacked Ivanti last year. These attacks were committed by a group known as UNC5221, and Mandiant said with "moderate confidence" that UNC5337 was part of UNC5221.

Are business VPNs still a good option?

Yes, there are many business VPNs out there which will keep your company and employees protected against cybercriminals, and there are some key features to look out for.

Businesses of any size can come under threat from hackers, but small and medium businesses are the most attractive. You therefore need a business VPN that can secure all of your data and has rock-solid encryption.

In terms of an IP address, you'll want a static IP so everyone who requires access to protected data can get it. Many use cloud-based servers, encrypting all your files and data in one place for easy access.

It is also worth looking for a business VPN that boasts additional security features. This can greatly reduce the amount of extra hardware and software you need to purchase – making a business VPN more cost-effective.