Chinese threat actors are again targeting Ivanti remote access devices on a large scale.
Ivanti appliances suffered numerous high-profile vulnerabilities last year. These included a critical authentication bypass in its Virtual Traffic Manager (vTM), a SQL injection flaw in its Endpoint Manager, three vulnerabilities impacting its Cloud Services Appliance (CSA), critical issues with its Standalone Sentry and Neurons for IT Service Management (ITSM), and many more.
The issues began last January with the discovery of two serious vulnerabilities in Ivanti’s Connect Secure (ICS) and Policy Secure gateways. At the time of disclosure, a suspected Chinese-linked threat actor, UNC5337, believed to be affiliated with UNC5221, was already exploiting these flaws.
A year later, and following a “secure-by-design” commitment, Ivanti faces renewed attacks. A new critical vulnerability in ICS also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti also warned of a second, less severe, vulnerability not yet seen exploited.
Arctic Wolf CISO Adam Marrè defends Ivanti, stating that frequent vulnerabilities don’t indicate easy exploitation. He emphasizes the complexity of secure engineering and the constant evolution of attack techniques.
CVE-2025-0283, a buffer overflow in ICS (prior to 22.7R2.5), Policy Secure (prior to 22.7R1.2), and Neurons for ZTA (prior to 22.7R2.3), hasn’t been observed in attacks yet. This “high” severity (CVSS 7.0) flaw allows privilege escalation but requires prior authentication.
CVE-2025-0282, rated “critical” (CVSS 9.0), enables root code execution without authentication. Ivanti provided limited details, but watchTowr researchers reverse-engineered an exploit by comparing patched and unpatched ICS versions.
Mandiant reports that a threat actor started exploiting CVE-2025-0282 in mid-December using the “Spawn” malware family linked to UNC5337’s previous Ivanti exploits. This malware includes SpawnAnt (installer), SpawnMole (communication), SpawnSnail (SSH backdoor), and SpawnSloth (log tampering).
Mandiant senior consultant Matt Lin highlights the threat actor’s deep understanding of Ivanti Connect Secure. Besides UNC5337’s tools, researchers found two other unrelated malware: DryHook (credential theft) and PhaseJam (command execution with persistent fake updates). Mandiant suggests these could be from UNC5337 or another actor.
Over 2,000 ICS instances, mostly in the US, France, and Spain, were potentially vulnerable according to The ShadowServer Foundation. Ivanti and CISA released mitigation instructions for CVE-2025-0282, urging the use of Ivanti’s Integrity Checker Tool (ICT) to detect infections and immediate patching.
An Ivanti spokesperson confirmed the patch release and limited exploitation, highlighting the ICT’s role in rapid response. They emphasized continuous monitoring and layered security. Patches for Policy Secure and ZTA are delayed until January 21st. Ivanti claims ZTA’s production environment and Policy Secure’s non-Internet-facing design mitigate exploitation risks.
Marrè stresses the importance of timely patching despite potential downtime. Lin emphasizes the difference in impact between organizations with prompt responses and those with delayed actions. He acknowledges the challenges faced by security teams in vulnerability assessment, patching, and incident response.
Source Link
