Management software maker Ivanti continues to struggle with security flaws in its products – this week announcing two more vulnerabilities on appliances – and a China-linked threat group known for cyber-spying may be exploiting one of the bugs.
Ivanti this week issued a notice about the vulnerabilities, saying that one of the flaws – tracked as CVE-2025-0282 – was being exploited in the wild, with a “limited number” customers using Ivanti’s Connect Secure VPN appliances being targeted. The bugs affect Ivanti’s Connect Secure, Policy Secure and ZTA Gateways, which are used in networks of both commercial companies and government agencies.
In their own report, threat intelligence researchers with Google’s Mandiant cybersecurity business wrote that, based on some of the malware found on the infected devices, it’s likely that Chinese threat groups UNC5337 and UNC5221 may be behind the attacks exploiting the vulnerability.
The researchers, who are working with Ivanti on the most recent vulnerabilities, also warned that attacks exploiting the security flaw likely will expand, particularly if proof-of-concept (POC) exploits are developed.
“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,” they wrote, noting that the exploitation began in mid-December. “Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.”
Ivanti for more than a year has been plagued by security flaws – some of which have been exploited by Chinese espionage gangs, including UNC5337, a larger group that it’s part of, UNC5221, and the high-profile Volt Typhoon – to the point that CEO Jeff Abbot in an open letter to the industry, partners, and customers in April 2024 promised an overhaul of the company’s security operations.
However, the vulnerabilities continue to crop up.
In at least one of the Ivanti appliances being analyzed, Mandiant researchers found malware from the SPAWN family, which includes the SPAWNANT installer, SPAWNMOLE tunneler, and SPAWNSNAIL SSH backdoor, all of which pointed them to looking at – with moderate confidence – that UNC5337 and UNC5221 are launching the attacks.
There also were two previously unobserved malware families on other compromises appliance – DRYHOOK and PHASEJAM, a dropper – that have yet to be linked to a threat group, they wrote.
After exploiting the vulnerability, the attackers establish persistence in the Ivanti appliance and move through the victim’s network. Mandiant found multiple publicly-available and open source tunnelers that open communications channels between the compromised appliances and the bad actor’s command-and-control (C2) infrastructure. The tunnelers let the attackers evade network security controls and cloud further enable lateral movement through the victim’s environment.
They attackers also used several tools to run internal reconnaissance on the network and used the LDAP service account to run LDAP requests for information from the directory service. They also used the LDAP service account to move laterally through the network, including Microsoft Active Directory servers, via Server Message Block (SMB) and Remote Desktop Protocol (RDP).
Other post-exploitation actions included “archiving the database cache on a compromised appliance and staging the archived data in a directory served by the public-facing web server to enable exfiltration of the database,” the researchers wrote. “The database cache may contain information associated with VPN sessions, session cookies, API keys, certificates, and credential material.”
DRYHOOK, a Python script, was used to steal credentials by modifying a system component in the Ivanti Connect Secure environment.
Ivanti customers can use the Integrity Checker Tool to determine if their appliances have been compromised and, if not, can upgrade to the latest software version. They’ll have to run a factory reset for the device if they have been exploited to ensure the malware was removed.
There is a patch available now for Connect Secure appliances, but fixes for Policy Secure and ZTA Gateway are set to be released January 21.
According to Ivanti, the CVE-2025-0282 vulnerability has been exploited in Connect Secure appliance, but it hasn’t seen either of the new flaws being exploited in Ivanti Policy Secure or ZTA gateways. There also is no evidence that CVE-2025-0283, the other flaw found, has been exploited at the time of disclosure.
News of additional Ivanti vulnerabilities are traveling fast through countries around the world, including the UK, where the National Cyber Security Centre issued its own advisory, while CISA added CVE-2025-0282 its catalog of vulnerabilities known to be exploited.
Recent Articles By Author