Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024.
The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3.
“Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution,” Ivanti said in an advisory. “Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix.”
Also patched by the company is another high-severity flaw (CVE-2025-0283, CVSS score: 7.0) that allows a locally authenticated attacker to escalate their privileges. The vulnerabilities, addressed in version 22.7R2.5, impact the following versions –
- CVE-2025-0282 – Ivanti Connect Secure 22.7R2 through 22.7R2.4, Ivanti Policy Secure 22.7R1 through 22.7R1.2, and Ivanti Neurons for ZTA gateways 22.7R2 through 22.7R2.3
- CVE-2025-0283 – Ivanti Connect Secure 22.7R2.4 and prior, 9.1R18.9 and prior, Ivanti Policy Secure 22.7R1.2 and prior, and Ivanti Neurons for ZTA gateways 22.7R2.3 and prior
Ivanti has acknowledged that it’s aware of a “limited number of customers” whose Connect Secure appliances have been exploited due to CVE-2025-0282. There is currently no evidence that CVE-2025-0283 is being weaponized.
Google-owned Mandiant, which detailed its investigation into attacks exploiting CVE-2025-0282, said it observed the deployment of the SPAWN ecosystem of malware across several compromised devices from multiple organizations. The use of SPAWN has been attributed to a China-nexus threat actor dubbed UNC5337, which is assessed to be a part of UNC5221 with medium confidence.
The attacks have also culminated in the installation of previously undocumented malware families dubbed DRYHOOK and PHASEJAM. Neither of the strains has been linked to a known threat actor or group.
The exploitation of CVE-2025-0282, per the cybersecurity company, entails performing a series of steps to disable SELinux, prevent syslog forwarding, remount the drive as read-write, execute scripts to drop web shells, use sed to remove specific log entries from the debug and application logs, re-enable SELinux, and remount the drive.
One of the payloads executed using the shell script is another shell script that, in turn, runs an ELF binary responsible for launching PHASEJAM, a shell script dropper that’s designed to make malicious modifications to the Ivanti Connect Secure appliance components.
“The primary functions of PHASEJAM are to insert a web shell into the getComponent.cgi and restAuth.cgi files, block system upgrades by modifying the DSUpgrade.pm file, and overwrite the remotedebug executable so that it can be used to execute arbitrary commands when a specific parameter is passed,” Mandiant researchers said.
The web shell is capable of decoding shell commands and exfiltrating the results of the command execution back to the attacker, uploading arbitrary files on the infected device, and reading and transmitting file contents.
There is evidence to suggest that the attack is the work of a sophisticated threat actor owing to the methodical removal of log entries, kernel messages, crash traces, certificate handling errors, and command history.
PHASEJAM also establishes persistence by covertly blocking legitimate updates to the Ivanti appliance by rendering a fake HTML upgrade progress bar. On the other hand, SPAWNANT, the installer component associated with the SPAWN malware framework, can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process.
Mandiant said it observed various publicly-available and open-source tunneling utilities, including SPAWNMOLE, to facilitate communications between the compromised appliance and the threat actor’s command-and-control (C2) infrastructure.
Some of the other post-exploitation activities carried out are listed below –
- Perform internal network reconnaissance using built-in tools like nmap and dig
- Use the LDAP service account to perform LDAP queries and move laterally within the network, including Active Directory servers, through SMB or RDP
- Steal application cache database containing information associated with VPN sessions, session cookies, API keys, certificates, and credential material
- Deploy a Python script named DRYHOOK to harvest credentials
Mandiant also cautioned that it’s possible multiple hacking groups are responsible for the creation and deployment of SPAWN, DRYHOOK, and PHASEJAM, but noted it doesn’t have enough data to accurately estimate the number of threat actors targeting the flaw.
In light of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by January 15, 2025. It’s also urging organizations to scan their environments for signs of compromise, and report any incident or anomalous activity.
Update
Ivanti is recommending the use of Integrity Checker Tool (ICT) to hunt for exploitation of CVE-2025-0282. If suspicious activity is identified, it’s advised to perform a factory reset on the appliance to remove the malware, and put it back into production using version 22.7R2.5.
It also reiterated that Policy Secure devices are not meant to be exposed to the internet. “The Ivanti Neurons ZTA gateways cannot be exploited when in production,” the company said. “If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway.”
Data from Censys shows that there are 33,219 exposed Ivanti Connect Secure instances, although not all of them are necessarily vulnerable. Most of the instances are located in the U.S., Japan, Germany, France, the U.K., Taiwan, Spain, the Netherlands, South Korea, and China.
Per the Shadowserver Foundation, there are 2,048 likely vulnerable instances worldwide as of January 9, 2024, with a majority of them in the U.S., France, Spain, the U.K., and Taiwan.
In a related development, cybersecurity company WatchTowr has released additional technical specifics about CVE-2025-0282, describing it as a “legit pre-authentication stack-based buffer overflow, present in the default configuration.”
