UK Internet Domain Registry Nominet Suffers Cyber Attack

The UK internet domain registry, Nominet, has confirmed to ISPreview that their network has suffered an “unauthorised intrusion” after hackers exploited a “zero-day vulnerability” in the Virtual Private Network (VPN) software they use, which is supplied by Ivanti and enables their people to access systems remotely.

ISPreview first became aware of a problem yesterday after the UK Government’s National Cyber Security Centre (NCSC) put out an urgent bulletin that encouraged organisations to “take immediate action” to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS), Policy Secure and ZTA Gateways (CVE-2025-0282 and CVE-2025-0283).

On top of that, Ivanti themselves said they were “aware of active exploitation” affecting their software, although at the time it was not known who or how many organisations had been targeted. But it was known that this had started “beginning mid-December 2024“.

NCSC Description of the Critical Vulnerabilities

CVE-2025-0282 – A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

CVE-2025-0283 – A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

In addition, Google Cloud has also put out a detailed advisory on the vulnerabilities, which adds a lot more context. But unfortunately, it appears as if the UK’s registry for internet domains, Nominet, is one of those organisations to have been attacked, and they’ve shared the following customer notice with us.

Important security update (Nominet)

We want to update you about an ongoing security incident that is currently under investigation.

We became aware of suspicious activity on our network late last week. The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely.

However, we currently have no evidence of data breach or leakage. We already operate restricted access protocols and firewalls to protect our registry systems.

The unauthorised intrusion into our network exploited a zero-day vulnerability.

As you will recognise, these incidents are always fast-moving and require investigation – but we have NOT uncovered any backdoors or routes onto our network. Aided by external experts, our investigation continues, and we have put additional safeguards in place, including restricted access to our systems from VPN.

Domain registration and management systems continue to operate as normal.

As well as informing members and customers, we have reported this incident to the relevant authorities, including NCSC.

Ivanti has made available patches to address this vulnerability which we are implementing. Those also using Ivanti’s VPN services are encouraged to patch their software immediately.

We will update you when our investigation concludes, or as necessary.

Nominet will not be the only organisation to be dealing with the headaches that have resulted from the latest situation. Sadly, this is not the first time that Ivanti’s VPN solution has faced serious security problems (example), which appears to have been promptly exploited by “Chinese state-sponsored threat actors.”