A year after a series of vulnerabilities impacting a pair of Ivanti VPN products prompted an emergency directive from the Cybersecurity and Infrastructure Security Agency to federal agencies, the Utah-based software firm is again experiencing issues with one of its signature systems.

The company on Wednesday disclosed two vulnerabilitiesCVE-2025-0282 and CVE-2025-0283 — that were affecting Ivanti Connect Secure (ICS) appliances. Mandiant, enlisted by Ivanti in the investigation and analysis of the vulnerabilities, said in a blog post that it had discovered zero-day exploitation of CVE-2025-0282 in the wild starting in mid-December of last year.

That particular vulnerability, the Google Cloud-owned security firm noted, “is an unauthenticated stack-based buffer overflow.” If successfully exploited, unauthenticated remote code execution is possible, which could lead to “potential downstream compromise of a victim network.”

Ivanti, which is working to address the issues in concert with Mandiant as well as impacted customers, government partners and security vendors, was able to identify the compromise thanks to some commercial security monitoring tools and its Integrity Checker Tool.

In February 2024, CISA and several intelligence partners issued an advisory saying that the Integrity Checker Tool was “not sufficient” in detecting compromises, a charge that Ivanti strongly disputed. That advisory came after the January 2024 emergency directive from CISA regarding vulnerabilities in Ivanti’s VPN products and subsequent instructions from the cyber agency on how to update and bring those devices back online in the wake of reports that the vulnerable devices were being targeted by Chinese espionage operations.

On Thursday, CISA added the latest vulnerability to its Known Exploited Vulnerability (KEV) catalog.

For the current vulnerabilities plaguing Ivanti’s products, the company has released patches and urged customers to secure their systems via instructions in its security advisory. 

In the Wednesday blog post, Mandiant researchers said their analysis found signs of SPAWN in infected systems, noting that the deployment of that malware ecosystem has been attributed to the China-linked UNC5337, a group believed to be part of UNC5221.

Other malware families observed by Mandiant in compromised Ivanti systems include DRYHOOK and PHASEJAM, neither of which are currently linked to a specific threat group.

“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,” the firm’s researchers concluded. “Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.”

The post New zero-day exploit targets Ivanti VPN product appeared first on CyberScoop.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Millions of Malicious Containers Found on Docker Hub

April 30, 2024 0 Comments 0 tags

According to JFrog, approximately 25% of all repositories lack useful functionality and serve as vehicles for spam and malware

Read More

CISA Publishes SCuBA Hybrid Identity Solutions Guidance

March 12, 2024 0 Comments 0 tags

CISA has published Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Guidance (HISG) to help users better understand identity management capabilities and securely integrate their traditional on-premises enterprise networks with

Read More

Most Commercial Code Contains High-Risk Open Source Bugs

February 27, 2024 0 Comments 0 tags

Synopsys report reveals 74% of codebases now contain risky open source components

Read More