New zero-day exploit targets Ivanti VPN product
A year after a series of vulnerabilities impacting a pair of Ivanti VPN products prompted an emergency directive from the Cybersecurity and Infrastructure Security Agency to federal agencies, the Utah-based software firm is again experiencing issues with one of its signature systems.
The company on Wednesday disclosed two vulnerabilities — CVE-2025-0282 and CVE-2025-0283 — that were affecting Ivanti Connect Secure (ICS) appliances. Mandiant, enlisted by Ivanti in the investigation and analysis of the vulnerabilities, said in a blog post that it had discovered zero-day exploitation of CVE-2025-0282 in the wild starting in mid-December of last year.
That particular vulnerability, the Google Cloud-owned security firm noted, “is an unauthenticated stack-based buffer overflow.” If successfully exploited, unauthenticated remote code execution is possible, which could lead to “potential downstream compromise of a victim network.”
Ivanti, which is working to address the issues in concert with Mandiant as well as impacted customers, government partners and security vendors, was able to identify the compromise thanks to some commercial security monitoring tools and its Integrity Checker Tool.
In February 2024, CISA and several intelligence partners issued an advisory saying that the Integrity Checker Tool was “not sufficient” in detecting compromises, a charge that Ivanti strongly disputed. That advisory came after the January 2024 emergency directive from CISA regarding vulnerabilities in Ivanti’s VPN products and subsequent instructions from the cyber agency on how to update and bring those devices back online in the wake of reports that the vulnerable devices were being targeted by Chinese espionage operations.
On Thursday, CISA added the latest vulnerability to its Known Exploited Vulnerability (KEV) catalog.
For the current vulnerabilities plaguing Ivanti’s products, the company has released patches and urged customers to secure their systems via instructions in its security advisory.
In the Wednesday blog post, Mandiant researchers said their analysis found signs of SPAWN in infected systems, noting that the deployment of that malware ecosystem has been attributed to the China-linked UNC5337, a group believed to be part of UNC5221.
Other malware families observed by Mandiant in compromised Ivanti systems include DRYHOOK and PHASEJAM, neither of which are currently linked to a specific threat group.
“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,” the firm’s researchers concluded. “Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.”
A spokesperson for Ivanti said in an email to CyberScoop that the company has “worked in close collaboration with Mandiant on the analysis of the recently disclosed vulnerabilities to ensure the accuracy of the findings and in order to provide customers with the most comprehensive guidance possible. We remain committed to prioritizing our customers and continuously improving our products and processes through collaboration with our partners and the broader security ecosystem.”
This story was updated Jan. 9, 2025, with a comment from an Ivanti spokesperson.
