The UK’s top level domain registry has revealed to customers that it suffered a security breach recently when threat actors exploited a zero-day vulnerability in Ivanti VPN products.
Nominet, which manages over 11 million .uk domains as well as .wales and .cymru, issued an alert to its customers last week.
The security update, seen by Infosecurity, claimed the registry first noticed suspicious activity on its network in the week beginning December 30.
“The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely. However, we currently have no evidence of data breach or leakage. We already operate restricted access protocols and firewalls to protect our registry systems,” it continued.
“The unauthorized intrusion into our network exploited a zero-day vulnerability.”
Read more on Nominet: Nominet Tackles Cybercrime with 29,000 .UK Domain Suspensions
The zero-day in question was revealed and patched by Ivanti on January 8. Stack-based buffer overflow bug CVE-2025-0282 has a CVSS score of 9.0 and could lead to unauthenticated remote code execution (RCE), according to the security vendor.
It affects VPN product Ivanti Connect Secure (before version 22.7R2.5), as well as Ivanti Policy Secure before version 22.7R1.2 and Ivanti Neurons for ZTA gateways before version 22.7R2.3.
Although customers of the other two affected products will have to wait until January 21 for a patch, Ivanti released fixes for Ivanti Connect Secure last week. Nominet said it was deploying the patches, as well as notifying the relevant authorities.
Fortunately, the company appears to have spotted the intrusion early on, before threat actors could cause much damage.
“As you will recognize, these incidents are always fast-moving and require investigation – but we have not uncovered any backdoors or routes onto our network,” the updated confirmed.
“Aided by external experts, our investigation continues, and we have put additional safeguards in place, including restricted access to our systems from VPN. Domain registration and management systems continue to operate as normal.”