Ivanti publicly disclosed two critical vulnerabilities CVE-2025-0282 and CVE-2025-0283 affecting its Connect Secure (ICS) VPN appliances.
The announcement comes amidst alarming reports of active zero-day exploitation of CVE-2025-0282, identified by cybersecurity firm Mandiant as having begun in mid-December 2024.
The exploitation has raised concerns about potential network breaches and downstream compromises for affected organizations.
CVE-2025-0282, the more severe of the two issues, is described as an unauthenticated stack-based buffer overflow vulnerability.
Its exploitation can enable attackers to achieve remote code execution without needing authentication, providing them with a foothold to deploy malware or conduct further attacks within a compromised network.
CVE-2025-0283 has not yet been detailed to the same extent but is also considered critical. Mandiant’s ongoing investigations suggest that CVE-2025-0282 is being exploited in targeted campaigns against multiple organizations.
Attackers have demonstrated sophisticated techniques to probe ICS appliance versions before launching attacks, specifically targeting vulnerabilities in specific software versions.
Technical Analysis
Mandiant observed threat actors leveraging a range of malware families, including previously known varieties like the SPAWN ecosystem (SPAWNANT installer, SPAWNMOLE tunneler, and SPAWNSNAIL SSH backdoor).
Additionally, two new malware families, DRYHOOK and PHASEJAM, have been identified from compromised appliances.
While SPAWN malware has previously been linked to a Chinese-nexus espionage group UNC5337, Mandiant has yet to conclusively attribute all the activity associated with CVE-2025-0282 to a single actor.
Attack Techniques and Persistence Methods
The attackers have showcased advanced tactics in exploiting CVE-2025-0282. Typical attack steps include disabling security features like SELinux, writing malicious scripts, deploying web shells, and tampering with system logs to hide traces of compromise.
Of particular concern is the insertion of persistent malware components that can survive system upgrades, ensuring attackers maintain access even if systems are patched.
The analysis also revealed the deployment of web shells in ICS software components to allow remote access and code execution.
The PHASEJAM malware, for instance, hijacks system upgrade processes to block legitimate upgrades and simulate a fake upgrade process, preventing administrators from patching vulnerabilities.
Another malware, SPAWNANT, embeds itself into system files to ensure persistence during upgrades.
“Following exploitation, the threat actor has been observed removing evidence of exploitation from several key areas of the appliance:”
- Clearing kernel messages using
dmesgand removing entries from the debug logs that are generated during the exploit - Deleting troubleshoot information packages (state dumps) and any core dumps generated from process crashes
- Removing log application event log entries related to syslog failures, internal ICT failures, crash traces, and certificate handling errors
- Removing executed commands from the SELinux audit log.
Mandiant has revealed two sophisticated techniques employed by the threat actor PHASEJAM to maintain persistence on compromised Ivanti Connect Secure (ICS) appliances, even during system upgrades.
One of the identified tactics involves the deployment of fake system upgrades. PHASEJAM has developed a method to prevent legitimate system upgrade attempts by administrators.
The technique utilizes a deceptive HTML-based fake upgrade progress bar, which visually convinces administrators that the upgrade process is underway.
In reality, the malicious actor silently blocks the legitimate upgrade, ensuring the system remains compromised while keeping the attack undetected.
Who Is Behind the Attack?
Ivanti and Mandiant believe the attack campaign bears hallmarks of espionage.
The deployment of the SPAWN malware ecosystem has been linked with moderate confidence to UNC5337, a Chinese-nexus actor. UNC5337 has previously targeted Ivanti appliances using other vulnerabilities, such as CVE-2023-46805 and CVE-2024-21887.
UNC5337 is also suspected of being part of a broader group, UNC5221, known for exploiting cybersecurity vulnerabilities in VPN appliances since 2023.
The database cache of compromised ICS appliances has been exfiltrated in several cases, raising fears of exposed VPN session data, API keys, credentials, and certificates. Other malicious post-exploitation activities include reconnaissance using built-in tools and the deployment of tunnelers to bypass network defenses.
Cybersecurity experts warn that these attacks could widen if proof-of-concept exploits for these vulnerabilities become publicly available, potentially drawing in additional threat actors.
Ivanti Response to Zero-Day Vulnerabilities
Ivanti is addressing two recently identified zero-day vulnerabilities, CVE-2025-0282 and CVE-2025-0283, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. A fix is now available via our download portal.
“We are aware of limited exploitation of CVE-2025-0282 in Ivanti Connect Secure but have no evidence of attacks on Policy Secure or Neurons for ZTA gateways. Our Integrity Checker Tool (ICT) detected the activity promptly, allowing us to respond swiftly and develop a solution.”
Customer Actions:
- Apply the Fix: Available on our download portal with detailed guidance in our Security Advisory.
- Monitor Systems: Use ICT tools and maintain robust, layered cybersecurity practices, especially for edge devices like VPN gateways.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free