Ivanti has issued a warning regarding a zero-day vulnerability, tracked as CVE-2025-0282, in its widely used VPN appliances that has been exploited to compromise customer networks. The vulnerability can be exploited without authentication, allowing attackers to remotely plant malicious code on Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways products.
UPDATE: Ivanti spokeperson’s statement was added (14.01.2025)
Ivanti warns of zero-day vulnerability in VPN appliances
Disclosed on Wednesday, the critical flaw impacts Ivanti Connect Secure, which is considered “the most widely adopted SSL VPN by organizations of every size, across every major industry.” The company became aware of the vulnerability when its Integrity Checker Tool (ICT) detected malicious activity on customer appliances. Ivanti acknowledges that it was aware of a “limited number of customers” whose appliances were compromised.
While a patch is available for Connect Secure, patches for Policy Secure and ZTA Gateways, which have not been confirmed as exploitable, are not expected until January 21. Ivanti also identified a second vulnerability, CVE-2025-0283, which has not yet been exploited.
Do not ignore: Adobe’s cybersecurity update could save your data
Mandiant, an incident response firm, reported that it observed exploitation of CVE-2025-0282 as early as mid-December 2024. Although Mandiant has not definitively linked the vulnerabilities to a specific threat actor, it suspects involvement from a China-linked cyberespionage group known as UNC5337 and UNC5221. This group has previously exploited Ivanti vulnerabilities to execute mass hacks against customers.
According to TechCrunch, Ben Harris, CEO of watchTowr Labs, noted widespread impact from the latest Ivanti VPN flaw, indicating that attacks demonstrate characteristics typical of an advanced persistent threat. The U.K.’s National Cyber Security Centre is also investigating active exploitation cases affecting networks in the U.K. Meanwhile, the U.S. cybersecurity agency CISA has added the vulnerability to its catalog of known exploited vulnerabilities.
An Ivanti spokesperson reached out to Dataconomy on 14.01.2025 and said, “Ivanti identified the compromise based on indications from the Integrity Checker Tool (“ICT”), and worked rapidly to identify the vulnerabilities and release a fix to customers within weeks for Ivanti Connect Secure, which is the only product where limited exploitation was observed. Patches for Ivanti Policy Secure and Ivanti Neurons ZTA Gateways, which have a significantly reduced risk of exploitation due to deployment practices, are scheduled for release on January 21, 2025. Ivanti confirmed that no exploitation of these products has been observed to date and has provided guidance to customers which reduces exploitation risk to near-zero.”
The spokesperson continued: “Ivanti, leading security firm Mandiant, CISA and other CERTs around the world recommend that customers follow the guidance outlined in Ivanti’s Security Advisory to ensure their systems are protected. Our customers remain our top priority and we are committed to continuously improving our products and processes through collaboration with our stakeholders and the broader security ecosystem, as the industry collectively navigates an increasingly aggressive threat landscape.”
Link to Chinese cyberspies
Mandiant linked the exploitation of CVE-2025-0282 to Chinese cyber actors, noting the use of a previously discovered malware family called Spawn. This toolkit includes various malicious tools such as an installer, a tunneler, and an SSH backdoor, all linked to espionage activities attributed to UNC5337.
In addition to Spawn, Mandiant identified two new malware families named DryHook and PhaseJam, which are currently not associated with any known threat group. The exploitation chain involves attackers sending requests to identify appliance software versions, then leveraging CVE-2025-0282 to gain access, disable security protections, and deploy additional malware.
Once compromised, the attackers used the PhaseJam dropper to create web shells on the connected devices. PhaseJam also modifies upgrade scripts to block actual updates. The Spawn toolkit, which is intended to persist across system upgrades, is also deployed along with the new malware families.
The primary goal of the attackers appears to be to steal sensitive information related to VPN sessions, API keys, and credentials by archiving databases on the affected appliances and staging this data for exfiltration. DryHook has been employed to capture user credentials during authentication processes.
Security experts recommend that system administrators perform a factory reset and upgrade to Ivanti Connect Secure version 22.7R2.5. This advisory is critical given that over 3,600 ICS appliances were previously exposed online when the initial vulnerability was announced, although the number has since decreased to approximately 2,800, indicating a continuing significant risk.
Featured image credit: Kerem Gülen/Midjourney