New zero-day exploit targets Ivanti VPN product

A year after a series of vulnerabilities impacting a pair of Ivanti VPN products prompted an emergency directive from the Cybersecurity and Infrastructure Security Agency to federal agencies, the Utah-based software firm is again experiencing issues with one of its signature systems.

The company on Wednesday disclosed two vulnerabilities — CVE-2025-0282 and CVE-2025-0283 — that were affecting Ivanti Connect Secure (ICS) appliances. Mandiant, enlisted by Ivanti in the investigation and analysis of the vulnerabilities, said in a blog post that it had discovered zero-day exploitation of CVE-2025-0282 in the wild starting in mid-December of last year.

That particular vulnerability, the Google Cloud-owned security firm noted, “is an unauthenticated stack-based buffer overflow.” If successfully exploited, unauthenticated remote code execution is possible, which could lead to “potential downstream compromise of a victim network.”

Ivanti, which is working to address the issues in concert with Mandiant as well as impacted customers, government partners and security vendors, was able to identify the compromise thanks to some commercial security monitoring tools and its Integrity Checker Tool. 

In February 2024, CISA and several intelligence partners issued an advisory saying that the Integrity Checker Tool was “not sufficient” in detecting compromises, a charge that Ivanti strongly disputed. That advisory came after the January 2024 emergency directive from CISA regarding vulnerabilities in Ivanti’s VPN products and subsequent instructions from the cyber agency on how to update and bring those devices back online in the wake of reports that the vulnerable devices were being targeted by Chinese espionage operations.

On Thursday, CISA added the latest vulnerability to its Known Exploited Vulnerability (KEV) catalog. 

For the current vulnerabilities plaguing Ivanti’s products, the company has released patches and urged customers to secure their systems via instructions in its security advisory.  

In the Wednesday blog post, Mandiant researchers said their analysis found signs of SPAWN in infected systems, noting that the deployment of that malware ecosystem has been attributed to the China-linked UNC5337, a group believed to be part of UNC5221. 

Other malware families observed by Mandiant in compromised Ivanti systems include DRYHOOK and PHASEJAM, neither of which are currently linked to a specific threat group. 

“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,” the firm’s researchers concluded. “Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.”