New zero-day exploit targets Ivanti VPN product | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/ivanti-vpn-vulnerabilities-zero-day-exploit-china-cisa\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"New zero-day exploit targets Ivanti VPN product\"> <meta property=\"og:description\" content=\"Mandiant says it found malware in impacted devices associated with a Chinese-linked threat group.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/ivanti-vpn-vulnerabilities-zero-day-exploit-china-cisa\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-09T17:09:03+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-09T17:09:05+00:00\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736374229g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83087\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83087\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fivanti-vpn-vulnerabilities-zero-day-exploit-china-cisa%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fivanti-vpn-vulnerabilities-zero-day-exploit-china-cisa%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83087 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/ivanti-vpn-vulnerabilities-zero-day-exploit-china-cisa\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.194444444444\">\n<div class=\"single-article__header-content\" readability=\"32.463768115942\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/ivanti-vpn-vulnerabilities-zero-day-exploit-china-cisa\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Mandiant says it found malware in impacted devices associated with a Chinese-linked threat group. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83087\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg 3840w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"27.939825253664\"><body readability=\"57.082991803279\"><\/p>\n<p>A year after a series of vulnerabilities impacting a pair of Ivanti VPN products <a href=\"https:\/\/cyberscoop.com\/cisa-ivanti-vulnerability-emergency-directive\/\">prompted an emergency directive<\/a> from the Cybersecurity and Infrastructure Security Agency to federal agencies, the Utah-based software firm is again experiencing issues with one of its signature systems.<\/p>\n<p>The company on Wednesday <a href=\"https:\/\/forums.ivanti.com\/s\/article\/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US\">disclosed two vulnerabilities<\/a> \u2014 <a href=\"https:\/\/www.cisa.gov\/cisa-mitigation-instructions-cve-2025-0282\">CVE-2025-0282<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-0283\">CVE-2025-0283<\/a> \u2014 that were affecting Ivanti Connect Secure (ICS) appliances. Mandiant, enlisted by Ivanti in the investigation and analysis of the vulnerabilities, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/ivanti-connect-secure-vpn-zero-day?e=48754805\">said in a blog post<\/a> that it had discovered zero-day exploitation of CVE-2025-0282 in the wild starting in mid-December of last year.<\/p>\n<p>That particular vulnerability, the Google Cloud-owned security firm noted, \u201cis an unauthenticated stack-based buffer overflow.\u201d If successfully exploited, unauthenticated remote code execution is possible, which could lead to \u201cpotential downstream compromise of a victim network.\u201d<\/p>\n<p>Ivanti, which is working to address the issues in concert with Mandiant as well as impacted customers, government partners and security vendors, was able to identify the compromise thanks to some commercial security monitoring tools and its Integrity Checker Tool. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In February 2024, CISA and several intelligence partners issued an advisory saying that the Integrity Checker Tool was \u201c<a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa24-060b\">not sufficient<\/a>\u201d in detecting compromises, a charge that <a href=\"https:\/\/cyberscoop.com\/cisa-ivanti-integrity-checker-vulnerabilty\/\">Ivanti strongly disputed<\/a>. That advisory came after the January 2024 emergency directive from CISA regarding vulnerabilities in Ivanti\u2019s VPN products and subsequent instructions from the cyber agency on <a href=\"https:\/\/cyberscoop.com\/ivanti-connect-secure-china\/\">how to update and bring those devices back online<\/a> in the wake of reports that the vulnerable devices were being <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/ivanti-connect-secure-vpn-zero-day?e=48754805\">targeted by Chinese espionage operations<\/a>.<\/p>\n<p>On Thursday, CISA added the latest vulnerability to its <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\">Known Exploited Vulnerability (KEV) catalog<\/a>. <\/p>\n<p>For the current vulnerabilities plaguing Ivanti\u2019s products, the company has released patches and urged customers to secure their systems via instructions in its security advisory. <\/p>\n<p>In the Wednesday blog post, Mandiant researchers said their analysis found signs of SPAWN in infected systems, noting that the deployment of that malware ecosystem has been attributed to the China-linked UNC5337, a group believed to be part of UNC5221. <\/p>\n<p>Other malware families observed by Mandiant in compromised Ivanti systems include DRYHOOK and PHASEJAM, neither of which are currently linked to a specific threat group. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cMandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,\u201d the firm\u2019s researchers concluded. \u201cAdditionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9822294022617\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/new-zero-day-exploit-targets-ivanti-vpn-product-1.jpg?w=640&ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/ivanti-vpn-vulnerabilities-zero-day-exploit-china-cisa\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New zero-day exploit targets Ivanti VPN product | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,452,2659,1394,168,646,3442,3443,3444,643,1170],"tags":[86,454,2661,1395,169,650,3445,3446,3447,645,1171],"class_list":["post-6864","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-exploit","category-ivanti","category-malware","category-mandiant","category-spawn","category-unc5221","category-unc5337","category-vulnerabilities","category-zero-days","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-exploit","tag-ivanti","tag-malware","tag-mandiant","tag-spawn","tag-unc5221","tag-unc5337","tag-vulnerabilities","tag-zero-days"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/exploit\/\" rel=\"category tag\">exploit<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ivanti\/\" rel=\"category tag\">Ivanti<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/spawn\/\" rel=\"category tag\">SPAWN<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unc5221\/\" rel=\"category tag\">UNC5221<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unc5337\/\" rel=\"category tag\">UNC5337<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-days\/\" rel=\"category tag\">zero-days<\/a>","tag_info":"zero-days","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6864","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6864"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6864\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6864"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6864"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6864"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6864,"date":"2025-01-09T11:09:03","date_gmt":"2025-01-09T17:09:03","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83087"},"modified":"2025-01-09T11:09:03","modified_gmt":"2025-01-09T17:09:03","slug":"new-zero-day-exploit-targets-ivanti-vpn-product","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/09\/new-zero-day-exploit-targets-ivanti-vpn-product\/","title":{"rendered":"New zero-day exploit targets Ivanti VPN product"},"content":{"rendered":"