Networks utilizing Ivanti VPNs are currently facing significant threats from sophisticated hackers exploiting a critical vulnerability that grants them complete control over network-connected devices. Ivanti, the hardware manufacturer, disclosed this vulnerability, identified as CVE-2025-0283, alerting customers on Wednesday that it is actively being targeted by attackers. This flaw affects the company’s Connect Secure VPN, as well as its Policy Secure and ZTA Gateways, allowing malicious actors to execute harmful code with no authentication required. In response to these threats, Ivanti has issued a security patch, upgrading affected Connect Secure devices to version 22.7R2.5.
According to Mandiant, a cybersecurity entity owned by Google, the vulnerability has been exploited since December against multiple compromised Ivanti Connect Secure appliances, prior to its public disclosure as a zero-day threat. Following the initial exploitation of the vulnerability, attackers are deploying two sophisticated malware packages known as DRYHOOK and PHASEJAM on affected devices. PHASEJAM, in particular, is a well-crafted bash shell script that initially installs a web shell for remote access, followed by the injection of a function within the Connect Secure update mechanism that fakes a legitimate upgrade process.
The malicious function, labeled processUpgradeDisplay(), simulates an upgrade experience involving 13 steps, each with a predefined duration, creating an illusion of a successful installation. This deception could mislead the ICS administrators during legitimate upgrade attempts, as the script produces a visually convincing display mimicking a typical software upgrade.
In addition to PHASEJAM, attackers are utilizing a previously identified malware called SPAWNANT, which is designed to disable an integrity checker tool integrated by Ivanti into recent VPN versions. This integrity checker is responsible for examining device files for unauthorized changes. SPAWNANT achieves its objective by altering the expected SHA256 cryptographic hash of a critical file, replacing it with a compromised version. Consequently, when network administrators run the integrity check on affected devices, they are presented with misleading results, obscuring potential unauthorized alterations.
The ongoing exploitation of the CVE-2025-0283 vulnerability illustrates a serious risk for organizations that rely on Ivanti’s VPN solutions. The attackers’ tactics resonate with several approaches in the MITRE ATT&CK framework, including initial access via exploiting a vulnerability, persistence through the installation of malware, and privilege escalation by gaining unauthorized control over devices. The sophisticated nature of this attack underlines the importance for businesses to remain vigilant about cybersecurity threats and to promptly apply available patches and updates. Organizations should prioritize regular security assessments to mitigate the risk posed by such vulnerabilities and safeguard their networks against potential exploitation.
