We are sharing backdoored Ivanti Connect Secure devices that may have been compromised as part of a CVE-2025-0282 exploitation campaign (but also we believe may include older or other activity).
379 new backdoored instances found on 2025-01-22:
https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-22&source=compromised_website&source=compromised_website6&tag=cve-2025-0282%2B&geo=all&data_set=count&scale=log
Data shared daily in our Compromised Website report https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/ tagged 'backdoor;ivanti-connect-secure'
Dashboard tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=compromised_website&source=compromised_website6&tag=backdoor%2B&dataset=unique_ips&limit=1000&group_by=geo&style=stacked
Make sure to investigate your Ivanti Connect Secure instance if you receive an alert from us! @cisacyber mitigation advice is a good start https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282
Thank you to @certfi for the insights and detection methods!
=> More informations about this toot | View the thread | More toots from shadowserver@infosec.exchange
=> View cisacyber@bird.makeup profile | View certfi@bird.makeup profile
text/geminiThis content has been proxied by September (3851b).