CISA Warns of ESURGE Malware Exploiting Ivanti RCE Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).

This vulnerability allows attackers to gain unauthorized access and deploy sophisticated malware variants, including the newly identified RESURGE and SPAWNSLOTH.

CISA’s analysis revealed that RESURGE operates as a backdoor and rootkit, enabling attackers to establish Secure Shell (SSH) tunnels for command-and-control (C2) operations.

The malware modifies system files, bypasses integrity checks, and installs a web shell on the Ivanti boot disk. It also incorporates encryption mechanisms to evade detection and maintain persistence.

A related file, identified as SPAWNSLOTH, is embedded within RESURGE. This variant specializes in tampering with system logs, making it challenging to trace malicious activities.

Additionally, CISA discovered a custom binary leveraging open-source tools like BusyBox and scripts such as extract_vmlinux.sh. These tools enable attackers to extract kernel images, analyze vulnerabilities, and execute payloads on compromised devices.

Exploitation Details and Indicators of Compromise (IOCs)

The RESURGE malware exploits CVE-2025-0282 to infiltrate systems.

Once inside, it performs the following actions:

• Inserts itself into critical system files (ld.so.preload) for remote command execution.
• Alters coreboot images to manipulate boot processes and inject malicious payloads.
• Modifies Python scripts (scanner.py and scanner_legacy.py) to disable mismatch tracking in file integrity scans.

These modifications allow attackers to maintain control over compromised systems while evading detection by security mechanisms.

CISA strongly recommends that organizations using Ivanti Connect Secure devices take immediate action to mitigate this threat.

Key steps include:

• Applying security patches for CVE-2025-0282 without delay.
• Monitoring network traffic for unusual SSH connections or tunneling activity.
• Implementing robust logging practices to detect tampering attempts.
• Regularly scanning systems for known IOCs associated with RESURGE and SPAWNSLOTH malware.

CISA also advises maintaining up-to-date antivirus solutions, enforcing strong password policies, and restricting administrative privileges to minimize exposure to such threats.

This advisory underscores the growing sophistication of cyberattacks targeting critical infrastructure and the need for proactive defense measures. Organizations are urged to remain vigilant and report any suspicious activity to CISA for further analysis and support.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free