Analysis Summary

Ivanti is alerting users that starting in mid-December 2024, a serious security vulnerability affecting the Ivanti Connect Secure, Policy Secure, and ZTA Gateways has been actively exploited in the wild. Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 are all susceptible to the stack-based buffer overflow known as CVE-2025-0282 (CVSS score: 9.0).

If CVE-2025-0282 is successfully exploited, unauthenticated remote code execution may result. The Integrity Checker Tool (ICT) detected threat actor activity the same day it happened, allowing Ivanti to react quickly and create a solution. Another high-severity vulnerability (CVE-2025-0283, CVSS score: 7.0) that permits a locally authenticated attacker to escalate their privileges has also been addressed by the organization. The following versions are affected by the vulnerabilities fixed in version 22.7R2.5.

Ivanti has admitted to knowing about a small number of consumers whose appliances have been taken advantage of because of CVE-2025-0282. As of right now, there is no proof that CVE-2025-0283 is being used as a weapon. In a report outlining its study into attacks that used CVE-2025-0282, Google-owned Mandiant claimed to have seen the spread of the SPAWN ecosystem of malware on numerous infected computers belonging to various businesses. A China-nexus threat actor known as UNC5337 deemed a medium-confident member of UNC5221, has been implicated in the use of SPAWN.

Additionally, the attacks have resulted in the installation of malware families known as DRYHOOK and PHASEJAM that were not previously known. There is no known threat actor or group associated with any strain. According to the cybersecurity firm, exploiting CVE-2025-0282 involves a sequence of actions that include disabling SELinux, stopping syslog forwarding, remounting the drive as read-write, executing scripts to drop web shells, using sed to eliminate particular log entries from the application and debug logs, re-enabling SELinux, and remounting the drive.

The web shell may upload arbitrary files to the compromised device, read and send file contents, decode shell commands, and exfiltrate the results of the command execution back to the attacker. The deliberate deletion of log entries, kernel messages, crash traces, certificate processing problems, and command history provides evidence that a highly skilled threat actor carried out the assault.

By secretly preventing valid updates to the Ivanti appliance by displaying a phony HTML upgrade progress bar, PHASEJAM further demonstrates persistence. However, by controlling the execution flow of dspkginstall, a program utilized during the system update process, SPAWNANT, the installer component linked to the SPAWN malware framework, can survive system upgrades. Mandiant claimed to have seen several open-source and publicly accessible tunneling tools, such as SPAWNMOLE, to help the compromised appliance communicate with the threat actor's command-and-control (C2) system.

Mandiant also warned that several threat groups may have carried out the development and implementation of SPAWN, DRYHOOK, and PHASEJAM, but it pointed out that it has sufficient information to determine the precise number of threat actors aiming for the vulnerability. CVE-2025-0282 has been added to the Known Exploited Vulnerabilities (KEV) database by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) due to active exploitation, and federal agencies must implement the patches by January 15, 2025. Additionally, it advises enterprises to report any incidents or unusual activity and to look for indications of compromise in their surroundings.

Impact

• Code Execution
• Unauthorized Access
• Privilege Escalation
• Data Exfiltration

Indicators of Compromise

CVE

• CVE-2025-0282
• CVE-2025-0283

Affected Vendors

Remediation

• Refer to Ivanti Security Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerabilities mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.