Ivanti has issued a warning regarding a zero-day vulnerability, tracked as CVE-2025-0282, in its widely used VPN appliances that has been exploited to compromise customer networks. The vulnerability can be exploited without authentication, allowing attackers to remotely plant malicious code on Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways products.
Ivanti warns of zero-day vulnerability in VPN appliances
Disclosed on Wednesday, the critical flaw impacts Ivanti Connect Secure, which is considered “the most widely adopted SSL VPN by organizations of every size, across every major industry.” The company became aware of the vulnerability when its Integrity Checker Tool (ICT) detected malicious activity on customer appliances. Ivanti acknowledges that it was aware of a “limited number of customers” whose appliances were compromised.
While a patch is available for Connect Secure, patches for Policy Secure and ZTA Gateways, which have not been confirmed as exploitable, are not expected until January 21. Ivanti also identified a second vulnerability, CVE-2025-0283, which has not yet been exploited.
Do not ignore: Adobe’s cybersecurity update could save your data
Mandiant, an incident response firm, reported that it observed exploitation of CVE-2025-0282 as early as mid-December 2024. Although Mandiant has not definitively linked the vulnerabilities to a specific threat actor, it suspects involvement from a China-linked cyberespionage group known as UNC5337 and UNC5221. This group has previously exploited Ivanti vulnerabilities to execute mass hacks against customers.
According to TechCrunch, Ben Harris, CEO of watchTowr Labs, noted widespread impact from the latest Ivanti VPN flaw, indicating that attacks demonstrate characteristics typical of an advanced persistent threat. The U.K.’s National Cyber Security Centre is also investigating active exploitation cases affecting networks in the U.K. Meanwhile, the U.S. cybersecurity agency CISA has added the vulnerability to its catalog of known exploited vulnerabilities.
Link to Chinese cyberspies
Mandiant linked the exploitation of CVE-2025-0282 to Chinese cyber actors, noting the use of a previously discovered malware family called Spawn. This toolkit includes various malicious tools such as an installer, a tunneler, and an SSH backdoor, all linked to espionage activities attributed to UNC5337.
In addition to Spawn, Mandiant identified two new malware families named DryHook and PhaseJam, which are currently not associated with any known threat group. The exploitation chain involves attackers sending requests to identify appliance software versions, then leveraging CVE-2025-0282 to gain access, disable security protections, and deploy additional malware.
Once compromised, the attackers used the PhaseJam dropper to create web shells on the connected devices. PhaseJam also modifies upgrade scripts to block actual updates. The Spawn toolkit, which is intended to persist across system upgrades, is also deployed along with the new malware families.
The primary goal of the attackers appears to be to steal sensitive information related to VPN sessions, API keys, and credentials by archiving databases on the affected appliances and staging this data for exfiltration. DryHook has been employed to capture user credentials during authentication processes.
Security experts recommend that system administrators perform a factory reset and upgrade to Ivanti Connect Secure version 22.7R2.5. This advisory is critical given that over 3,600 ICS appliances were previously exposed online when the initial vulnerability was announced, although the number has since decreased to approximately 2,800, indicating a continuing significant risk.
Featured image credit: Kerem Gülen/Midjourney
