The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled a critical malware strain identified as RESURGE, which has been utilized to exploit a security vulnerability in Ivanti Connect Secure appliances. This vulnerability, designated as CVE-2025-0282, involves a stack-based buffer overflow that could permit remote code execution in affected systems.
CISA highlights that RESURGE incorporates functionalities similar to the SPAWNCHIMERA malware, notable for its robustness against system reboots. However, RESURGE possesses unique commands that modify its operational behavior. According to CISA, the malware includes capabilities typically associated with rootkits, droppers, backdoors, bootkits, proxies, and tunneling utilities.
The targets of this attack comprise several specific versions of Ivanti’s products, including Ivanti Connect Secure prior to version 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA Gateways earlier than version 22.7R2.3. The vulnerability has reportedly been weaponized, enabling various malware components to be deployed against these systems, linking the attack to the China-based espionage group UNC5337.
In recent security analyses, CVE-2025-0282 has been found to facilitate the delivery of a consolidated malware package, SPAWNCHIMERA, which amalgamates previous modules while enhancing communication capabilities through UNIX domain sockets. The revised version possesses a critical feature for patching the CVE vulnerability, effectively removing the exploit vector for other malicious entities.
CISA characterizes RESURGE, also known as “libdsupgrade.so,” as an enhanced variant, incorporating three distinct commands that elevate its threat profile. These include inserting itself into the “ld.so.preload,” establishing web shells for credential harvesting and account management, and manipulating system files by inserting the web shell onto the Ivanti running boot disk. This indicates a multifaceted approach to sustaining long-term access to compromised systems.
Furthermore, CISA reports the discovery of additional artifacts from a targeted critical infrastructure entity’s ICS device. A variant of SPAWNSLOTH was identified, along with a custom embedded binary containing open-source components designed to manipulate system kernel images.
According to recent disclosures, CVE-2025-0282 has been exploited by another China-affiliated threat actor group known as Silk Typhoon, further underscoring the criticality of addressing this vulnerability. The evolving nature of these threat actors necessitates swift remediation actions by organizations, including upgrading Ivanti products to their latest versions.
To mitigate the risk of future incidents, CISA advises that organizations implement credential resets for both privileged and non-privileged accounts, conduct a rotational policy for all user passwords, and scrutinize access permissions temporarily to safeguard affected devices. Active monitoring for unusual account activities is also recommended to detect any potential intrusions promptly.
This incident serves as a stark reminder of the intricate and persistent threats facing organizations today, emphasizing the importance of proactive security measures in defending against advanced cyber threats.
