To further protect Ivanti’s remote access devices, it has been reported that a threat actor of Chinese origin is once again taking advantage of vulnerabilities in Ivanti appliances. This recurrence of exploits follows a series of high-profile security issues faced by Ivanti devices in the past year. From critical authentication bypass in Virtual Traffic Manager (vTM) to SQL injection bugs in Endpoint Manager, Ivanti has grappled with numerous vulnerabilities across its product line.
The cycle of vulnerabilities began in January of last year when serious flaws were discovered in Ivanti’s Connect Secure (ICS) and Policy Secure gateways. These vulnerabilities were promptly exploited by a suspected Chinese-nexus threat actor group, UNC5337, believed to be linked to UNC5221. Despite Ivanti’s secure-by-design efforts, threat actors have revisited the company with a new critical vulnerability affecting ICS, Policy Secure, and Neurons for Zero Trust Access (ZTA) gateways. Another less severe bug has also been identified by Ivanti, although it has not been observed in active exploits yet.
The sophistication of these threat actors has not gone unnoticed, with Arctic Wolf CISO Adam Marrè emphasizing the challenges of secure engineering in the face of evolving cyber threats. Despite Ivanti’s efforts to enhance security, threat actors continue to exploit vulnerabilities, such as the recently discovered buffer overflow issue in ICS, Policy Secure, and Neurons for ZTA gateways.
The exploitation of CVE-2025-0282 by threat actors deploying malware tools associated with UNC5337 underscores the persistent threat to Ivanti devices. The malware families deployed by threat actors demonstrate a deep understanding of Ivanti Connect Secure appliances, with tools like SpawnAnt, SpawnMole, SpawnSnail, and SpawnSloth being utilized to compromise devices.
In response to these threats, Ivanti and cybersecurity authorities have urged network defenders to apply patches immediately and utilize tools like the Integrity Checker Tool (ICT) to detect infections. The potential impact of these vulnerabilities is significant, with reports indicating thousands of vulnerable ICS instances globally.
As organizations scramble to mitigate risks and update their devices, the importance of timely and thorough security measures cannot be overstated. While patches are being rolled out, security teams must remain vigilant and proactive in safeguarding their networks against potential breaches. The diligence and dedication of defenders play a crucial role in mitigating the impact of cyber threats and ensuring the integrity of network infrastructure.
