- Ivanti discloses two security vulnerabilities, including one of critical severity
- One of the failures was being misused as a zero-day by a Chinese threat actor
- Researchers uncovered never-before-seen malware deployed in the attack
Ivanti has warned customers about a critical vulnerability affecting their VPN appliances that is being actively exploited in the wild to drop malware.
In a security advisory, Ivanti said it recently disclosed two vulnerabilities — CVE-2025-0282 and CVE-2025-0283 — both of which affect Ivanti Connect Secure VPN appliances.
The former appears to be the more dangerous of the two. It receives a severity score of 9.0 (critical) and is described as an unauthorized stack-based buffer overflow. “Successful exploitation can result in unauthorized remote code execution, leading to potential downstream compromise of a victim network,” it read.
The second vulnerability, also a stack-based buffer overflow, comes with a 7.0 severity score (high).
New malware installed
The company encouraged customers to apply the patch immediately and provided additional details about the threat actors and their tools.
In partnership with security researchers at Mandiant, Ivanti determined that the first vulnerability has been exploited in the wild as a zero-day, most likely by multiple threat actors.
In at least one of the compromised VPNs, Mandiant found the threat actors deploying the SPAWN ecosystem of malware (including the SPAWNANT installer, SPAWNMOLE tunnels, and the SPAWNSNAIL SSH backdoor).
The group behind this attack was identified as UNC5221, which is apparently an espionage group with China nexus that has been active since at least December 2023.
Previously, UNC5221 has been linked to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances, targeting organizations in the telecommunications, healthcare and public sectors. The group focuses on data exfiltration and espionage.
Mendiant has also seen bad guys release previously unseen malware, now tracked as DRYHOOK and PHASEJAM. They were unable to attribute these families to any known threat actor.
“It is possible that multiple actors are responsible for the creation and deployment of these various code families (ie SPAWN, DRYHOOK, and PHASEJAM), but at the time of publishing this report we do not have enough data to accurately assess the number of threat actors targeting CVE-2025-0282,” Ivanti said in the report.
