Ivanti Connect Secure (ICS) VPN appliances have become the focus of advanced threat actors, exploiting a newly disclosed zero-day vulnerability. According to a recent report by Mandiant, the exploitation of CVE-2025-0282, an unauthenticated stack-based buffer overflow, began in mid-December 2024. This vulnerability, if successfully exploited, allows unauthenticated remote code execution, potentially compromising entire networks.
Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, on January 8, 2025. While CVE-2025-0282 has been actively exploited, CVE-2025-0283, a reflected cross-site scripting (XSS) vulnerability, poses additional risks if leveraged in phishing attacks. Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network.
Mandiant’s analysis of compromised devices uncovered the deployment of both previously known and novel malware families, including the SPAWN ecosystem (e.g., SPAWNANT installer, SPAWNMOLE tunneler, and SPAWNSNAIL SSH backdoor) and new families like DRYHOOK and PHASEJAM. These tools provide attackers with persistent access, lateral movement capabilities, and data exfiltration functionality.
The report details a sophisticated exploitation process involving pre-exploitation reconnaissance and systematic steps to compromise ICS appliances:
- Attackers send repeated HTTP requests to ICS appliances, leveraging the Host Checker Launcher to determine the target’s version.
- Upon successful exploitation, they disable SELinux, block syslog forwarding, and deploy web shells, such as PHASEJAM, for remote access.
PHASEJAM, a malicious script, modifies critical ICS files to block legitimate system upgrades and installs backdoors disguised as legitimate system processes. The report noted, “PHASEJAM inserts the web shell into the legitimate files getComponent.cgi and restAuth.cgi as a function named AccessAllow(). The web shell is Perl-based and provides the threat actor with remote access and code execution capabilities on the compromised ICS server.”
Mandiant attributes the exploitation of CVE-2025-0282 with moderate confidence to UNC5337, a China-nexus espionage group suspected to be part of UNC5221. UNC5221 has a history of targeting ICS appliances, using advanced custom malware families such as SPAWNSNAIL and SPAWNMOLE. The report highlights, “UNC5337 then leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility.”
Ivanti and Mandiant recommend immediate action to mitigate risks:
- Patch Immediately: Ivanti has released patches addressing the vulnerabilities. Customers should upgrade to version 22.7R2.5 or later.
- Run the Integrity Checker Tool (ICT): Ivanti advises using their ICT alongside other security monitoring tools to detect potential compromises.
- Perform Factory Resets: For compromised appliances, Ivanti recommends a full factory reset before re-deployment.
Related Posts:
- CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
- Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
- Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
- Positive Technologies: “73 percent of industrial organizations’ networks are vulnerable to hackers”
