Ivanti has issued a warning about a critical security vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that has been actively exploited since mid-December 2024.
The specific security flaw, known as CVE-2025-0282 with a CVSS score of 9.0, is a stack-based buffer overflow that impacts Ivanti Connect Secure versions before 22.7R2.5, Ivanti Policy Secure versions before 22.7R1.2, and Ivanti Neurons for ZTA gateways versions before 22.7R2.3.
“Successful exploitation of CVE-2025-0282 could result in unauthenticated remote code execution,” according to Ivanti’s statement in a recent advisory. The company quickly responded to threat actor activity identified by the Integrity Checker Tool (ICT) on the same day and developed a fix promptly.
Another high-severity vulnerability (CVE-2025-0283, CVSS score: 7.0) has also been patched by Ivanti, allowing a locally authenticated attacker to escalate their privileges. These vulnerabilities, addressed in version 22.7R2.5, impact various versions of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways.
Ivanti has acknowledged the exploitation of a “limited number of customers” due to CVE-2025-0282, with no current evidence of CVE-2025-0283 being weaponized.
Google-owned Mandiant, which conducted an investigation into the attacks exploiting CVE-2025-0282, reported the deployment of the SPAWN ecosystem of malware. The usage of SPAWN has been linked to a China-based threat actor known as UNC5337, associated with UNC5221 with medium confidence.
The attacks have also led to the installation of previously unknown malware families named DRYHOOK and PHASEJAM, not attributed to any known threat actor or group.
Post-exploitation activities involve a series of steps including disabling SELinux, preventing syslog forwarding, executing scripts to drop web shells, and establishing persistence through various means.
Mandiant researchers explained that PHASEJAM inserts a web shell into specific files, blocks system upgrades, and overwrites executables to execute arbitrary commands, among other functions.
The web shell enables the decoding of commands, exfiltration of results, file uploads, and reading/transmitting file contents back to the attacker, showcasing a sophisticated threat actor behind the attack.
Further activities post-exploitation include network reconnaissance, LDAP queries, credential harvesting, and deployment of scripts to collect sensitive information.
Mandiant noted the possibility of multiple threat actors involved in the creation and deployment of SPAWN, DRYHOOK, and PHASEJAM, emphasizing the need for organizations to scan for compromises and report any suspicious activities.
In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by a specific deadline.
For more exclusive content, follow us on Twitter and LinkedIn.
