Ivanti warns that from mid-December 2024. a critical security flaw affecting Ivanti Connect Secure, Policy Secure and ZTA Gateways has become actively exploited.
Security vulnerability addressed CVE-2025-0282 (CVSS Score: 9.0), stack-based buffer overflow affecting Ivanti Connect Secure before 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA Gateways before 22.7R2.3.
“Successful exploitation of CVE-2025-0282 could lead to remote code execution without authentication,” Ivanti said in an advisory. “Threat actor activity was detected by the Integrity Check Tool (ICT) on the same day, allowing Ivanti to respond promptly and quickly develop a fix.”
The company also fixed another high-severity flaw (CVE-2025-0283, CVSS score: 7.0) that allows an attacker with local authentication to elevate their privileges. The vulnerabilities addressed in version 22.7R2.5 affect the following versions −
- CVE-2025-0282 – Ivanti Connect Secure 22.7R2 through 22.7R2.4, Ivanti Policy Secure 22.7R1 through 22.7R1.2, and Ivanti Neurons for ZTA Gateways 22.7R2 through 22.7R2.3
- CVE-2025-0283 – Ivanti Connect Secure 22.7R2.4 and earlier, 9.1R18.9 and earlier, Ivanti Policy Secure 22.7R1.2 and earlier, and Ivanti Neurons for ZTA Gateways 22.7R2.3 and earlier
Ivanti acknowledged that it is aware of a “limited number of customers” whose equipment has been exploited due to CVE-2025-0282. There is currently no evidence that CVE-2025-0283 is weaponized.
Mandiant, which is owned by Google and has detailed an investigation into attacks using CVE-2025-0282, said it has observed the expansion of the SPAWN malware ecosystem. The use of SPAWN was attributed to the China-Nexus threat actor UNC5337which is evaluated as part UNC5221 with medium confidence.
The attacks also resulted in the installation of previously undocumented malware families called DRYHOOK and PHASEJAM. None of the strains have been linked to a known threat or group.
Exploiting CVE-2025-0282, according to the cybersecurity company, involves taking a series of steps to disable SELinux, prevent syslog forwarding, remount the drive in read-write mode, run scripts to remove web shells, use sed to remove certain log entries from the debug and application logs, re-enable SELinux and remount the drive.
One of the payloads executed using the shell script is another shell script, which in turn runs an ELF binary responsible for running PHASEJAM, a shell script dropper that is designed to make malicious modifications to Ivanti Connect Secure device components .
“The main functions of PHASEJAM are to inject a web shell into the getComponent.cgi and restAuth.cgi files, block system upgrades by modifying the DSUpgrade.pm file, and overwrite the remotedebug executable so that it can be used to execute arbitrary commands when passed certain parameter,” Mandiant researchers said.
The web shell is capable of decoding shell commands and transmitting the results of command execution back to the attacker, downloading arbitrary files to the infected device, and reading and transmitting file contents.
There is evidence to suggest that the attack is the work of a sophisticated threat actor due to the methodical deletion of log entries, kernel messages, crash traces, certificate processing errors, and command history.
PHASEJAM also provides resilience by secretly blocking legitimate Ivanti device updates by displaying a fake HTML update progress bar. On the other hand, SPAWNANT, an installer component associated with the SPAWN malware framework, can persist during a system update by hijacking the execution thread of dspkginstall, a binary file used during the system update process.
Mandiant said it observed various publicly available open-source tunneling utilities, including SPAWNMOLE, to facilitate communication between a compromised device and the threat actor’s control (C2) infrastructure.
Some of the other post-commissioning activities are listed below –
- Perform internal network reconnaissance with built-in tools such as nmap and dig
- Use an LDAP service account to perform LDAP queries and navigate the network, including Active Directory servers, via SMB or RDP
- Steal application cache database containing information related to VPN sessions, session cookies, API keys, certificates and credentials
- Deploy a Python script called DRYHOOK to collect credentials
Mandiant also warned that multiple hacker groups may be responsible for creating and deploying SPAWN, DRYHOOK and PHASEJAM, but noted that it did not have enough data to accurately estimate the number of actors involved in the vulnerability.
In light of the active exploitation of the US Cybersecurity and Infrastructure Security Agency (CISA) did added CVE-2025-0282 to known vulnerabilities used (KEV) directory that requires federal agencies to apply patches by January 15, 2025. This too persistently organizations to scan their environment for signs of a breach and report any incidents or anomalous activity.
