Ivanti warns that another critical security hole is under attack
- Ivanti discovers two security vulnerabilities, including one of critical severity
- One of the shortcomings was that a Chinese threat actor was misused as a zero-day
- Researchers discovered that never-before-seen malware was used in the attack
Ivanti has alerted customers to a critical vulnerability affecting its VPN devices that is being actively exploited in the wild to drop malware.
In a security advisory, Ivanti said it recently discovered two vulnerabilities: CVE-2025-0282 and CVE-2025-0283, both of which impact Ivanti Connect Secure VPN devices.
The first seems the more dangerous of the two. It is given a severity score of 9.0 (critical) and is described as an unauthenticated stack-based buffer overflow. “Successful exploitation could result in remote unauthenticated code execution, leading to potential downstream compromise of a victim network,” it said.
The second vulnerability, also a stack-based buffer overflow, has a severity score of 7.0 (high).
New malware deployed
The company urged customers to apply the patch immediately and provided further details about the threat actors and their tools.
In collaboration with security researchers from MandiantIvanti determined that the first vulnerability has been exploited in the wild as a zero-day, most likely by multiple threat actors.
In at least one of the compromised VPNs, Mandiant found the threat actors deploying the SPAWN ecosystem of malware (including the SPAWNANT installer, the SPAWNMOLE tunneler, and the SPAWNSNAIL SSH backdoor).
The group behind this attack was identified as UNC5221, which is apparently a Chinese spy group, active since December 2023.
In the past, UNC5221 has been associated with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN devices, targeting telecommunications, healthcare, and public sector organizations. The group focuses on data exfiltration and espionage.
Mendiant has also seen criminals drop previously invisible malware, now tracked as DRYHOOK and PHASEJAM. They could not attribute these families to a known threat actor.
“It is possible that multiple actors are responsible for the creation and deployment of these different code families (i.e. SPAWN, DRYHOOK, and PHASEJAM), but at the time of publishing this report we do not have sufficient data to accurately assess the number of threat actors. targeting CVE-2025-0282,” Ivanti said in the report.