Critical Security Flaw in Ivanti Products Under Active Exploitation
Ivanti has issued a warning regarding a severe security vulnerability affecting its Ivanti Connect Secure, Policy Secure, and ZTA Gateways, which has been subject to active exploitation since mid-December 2024. The vulnerability, identified as CVE-2025-0282, has been assigned a high CVSS score of 9.0 and is characterized as a stack-based buffer overflow. This critical flaw impacts several versions of Ivanti products, including Connect Secure prior to version 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3.
Successful exploitation of this vulnerability could result in unauthenticated remote code execution, as detailed in an advisory by Ivanti. The company reported that suspicious activity was detected on the same day by its Integrity Checker Tool (ICT), allowing for a swift response and development of a patch. In addition to CVE-2025-0282, Ivanti addressed another significant vulnerability: CVE-2025-0283, which permits a locally authenticated attacker to escalate privileges, scoring a CVSS of 7.0.
Ivanti has acknowledged that a “limited number of customers” have experienced exploitation through CVE-2025-0282. However, the company confirmed that there is currently no evidence suggesting that CVE-2025-0283 is being actively weaponized. The vulnerabilities, resolved in version 22.7R2.5, affect a range of previously released software, illustrating the widespread impact of these security flaws.
Cybersecurity experts from Mandiant have conducted investigations revealing the deployment of the SPAWN malware ecosystem across multiple compromised devices belonging to various organizations. This exploitation has been attributed to a China-based threat actor known as UNC5337, which is believed to be connected to another group, UNC5221. Mandiant’s findings indicate that the attack methodology involved disabling essential security features, logging manipulations, and executing scripts to drop web shells. These tactics align with the MITRE ATT&CK framework’s categories of initial access, persistence, and privilege escalation.
The exploited vulnerabilities also led to the installation of new, previously undocumented malware families, including DRYHOOK and PHASEJAM. These pieces of malware enable advanced attacks such as web shell insertion into critical system files, blocking legitimate system updates, and executing arbitrary commands within the compromised environment.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by January 15, 2025. CISA is also urging organizations to proactively scan their networks for signs of breach and report any anomalous behavior.
Mandiant has suggested that the sophisticated nature of these attacks points to multiple hacking groups potentially being involved in the development and deployment of SPAWN, DRYHOOK, and PHASEJAM. Ivanti has also recommended utilizing the Integrity Checker Tool to identify potential compromises related to CVE-2025-0282. If any suspicious activity is detected, a factory reset of the appliance is advised, followed by re-implementation with the latest software version.
Data from Censys shows approximately 33,219 instances of Ivanti Connect Secure exposed globally, with concentrations in the U.S., Japan, and several European countries. The ongoing exploitation highlights the urgent need for affected organizations to take immediate action to secure their systems against these vulnerabilities.
