Ivanti has announced the active exploitation of a critical vulnerability, CVE-2025-0282 (CVSS 9.0), affecting Connect Secure (up to version 22.7R2.5), Policy Secure (up to version 22.7R1.2), and Neurons for ZTA Gateway (up to version 22.7R2.3). This vulnerability constitutes a stack-based buffer overflow, enabling attackers to execute remote code without authentication.
The vulnerability was detected through Ivanti’s Integrity Checker Tool (ICT), which identified anomalous activity on the day it first emerged. This prompt detection allowed the company to swiftly release patches. Simultaneously, another vulnerability, CVE-2025-0283 (CVSS 7.0), which allowed local users to escalate privileges, was identified and resolved in version 22.7R2.5.
Mandiant’s analysis revealed that CVE-2025-0282 has been exploited by hackers linked to the Chinese group UNC5337. These attacks leveraged a malicious ecosystem named SPAWN, featuring previously unknown tools such as DRYHOOK and PHASEJAM.
The attacks involved disabling SELinux, altering logs, deploying web shells, and executing ELF binaries like PHASEJAM. This script obstructs system updates and modifies critical device component files. The deployed web shells enable command execution, file uploads, and data exfiltration.
Key tactics in the exploitation included:
- Conducting internal network reconnaissance using tools like nmap and dig.
- Utilizing LDAP for Active Directory queries and lateral movement.
- Extracting VPN session databases, API keys, and credentials.
- Harvesting passwords through the Python script DRYHOOK.
CISA has added CVE-2025-0282 to its catalog of known exploited vulnerabilities, mandating federal agencies to apply the necessary security updates by January 15, 2025. Organizations are advised to scan their systems for signs of compromise and promptly report any suspicious incidents.
