On January 8, 2025, Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024. This vulnerability, an unauthenticated stack-based buffer overflow, allows remote code execution without authentication, posing a serious risk of further network compromise.
Discovery and Response
Affected customers initially identified compromises through Ivanti’s Integrity Checker Tool (ICT) and other security solutions. Ivanti has released patches addressing these vulnerabilities. Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.
Mandiant has been analyzing compromised devices across multiple organizations, uncovering the deployment of known and new malware families. These include the SPAWN malware ecosystem—comprising SPAWNANT (installer), SPAWNMOLE (tunneler), and SPAWNSNAIL (SSH backdoor)—alongside new malware families DRYHOOK and PHASEJAM. While some activity has been linked to the UNC5337 group, broader attribution remains inconclusive, suggesting the possibility of multiple threat actors exploiting CVE-2025-0282.
Impact
CVE-2025-0282
Exploitation of CVE-2025-0282 involves version-specific attacks, with adversaries performing reconnaissance using HTTP requests to identify appliance versions.Once the target version is identified, attackers disable key security features, such as SELinux and syslog forwarding, and remount the appliance’s filesystem for write access. Following this, web shells are deployed to maintain persistence and facilitate remote access.
CVE-2025-0283
CVE-2025-0283 is another vulnerability affecting Ivanti Connect Secure appliances. Ivanti has released fewer details about its exact nature as of January 9, 2025. Although less is known about the impact of this vulnerability and there is currently no indication that it is being exploited in the wild, it should also be prioritized for remediation as it has the potential to be exploited along with CVE-2025-0282 in a more complex attack scenario.
Affected Versions
CVE-2025-0282
- Invanti Connect Secure
- Affected versions
22.7R2through22.7R2.4 - Affected package:
cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.*
- Affected versions
- Ivanti Policy Secure
- Affected versions
22.7R1through22.7R1.2 - Affected package:
cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*.
- Affected versions
- Ivanti Neurons for ZTA gateways
- Affected versions
22.7R2through22.7R2.3
- Affected versions
CVE-2025-0283
- Ivanti Connect Secure
- Affected versions
22.7R2.4and prior and9.1R18.9and prior - Affected package:
cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.*
- Affected versions
- Ivanti Policy Secure
- Affected versions
22.7R1.2and prior - Affected package:
cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*.
- Affected versions
Indicators of Compromise (IoCs)
Mandiant has observed the following indicators of compromise in the wild:
| Code Family | Filename | Description |
DRYHOOK | n/a | Credential Theft Tool |
PHASEJAM | /tmp/s | Web Shell dropper |
PHASEJAM Webshell | /home/webserver/htdocs/dana-na/auth/getComponent.cgi | Web Shell |
PHASEJAM Webshell | /home/webserver/htdocs/dana-na/auth/restAuth.cgi | Web Shell |
SPAWNSNAIL | /root/home/lib/libsshd.so | SSH backdoor |
SPAWNMOLE | /root/home/lib/libsocks5.so | Tunneler |
SPAWNANT | /root/lib/libupgrade.so | Installer |
SPAWNSLOTH | /tmp/.liblogblock.so | Log tampering utility |
Recommended Actions
- Update Ivanti Connect Secure to version
22.7R2.5 - For Invanti Neurons for ZTA gateways and Ivanti Policy Secure, there is currently no patch available. Ivanti has updated that they expect patches to be released on January 21, 2025.
Ivanti advises using their Integrity Checker Tool (ICT) for both external and internal scans to identify potential issues and recommends reaching out to Ivanti Support if any suspicious activity is detected. Although threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.
If an ICT scan indicates compromise, Ivanti recommends that security teams perform a factory reset to remove malware and then reinstall the appliance using version 22.7R2.5. We will continue to update as additional patches are released.
