The British domain registrar Nominet is investigating a potential breach of its network, during which hackers exploited a zero-day vulnerability in Ivanti software.
Suspicious activity was detected late last week, linked to a flaw in a third-party VPN service provided by Ivanti, which Nominet employees use for remote system access. The attack vector was associated with a zero-day vulnerability.
At this stage, the company asserts that there is no evidence of data leakage or theft. Furthermore, no signs of backdoors or other forms of unauthorized access have been identified. To bolster security, VPN access to systems has been restricted. Domain registration and management systems remain fully operational.
Nominet, which oversees more than 11 million .uk domains as well as .wales, .pharmacy, and .career, reported that the investigation is being conducted in collaboration with external experts. Notifications have been sent to clients, organization members, and relevant authorities, including the UK’s National Cyber Security Centre (NCSC).
All indications suggest that Nominet is the first organization to publicly acknowledge being a victim of the ongoing exploitation of CVE-2025-0282 (CVSS score: 9.0)—a zero-day vulnerability affecting Ivanti’s Connect Secure, Policy Secure, and Neurons for ZTA gateways. Ivanti and Mandiant have confirmed that these attacks began as early as December, though the identities of the victims had not been disclosed until now.
Mandiant discovered that this vulnerability was exploited by hackers linked to the Chinese group UNC5337. The attacks utilized a malicious ecosystem called SPAWN, which included previously unknown tools such as DRYHOOK and PHASEJAM. The primary objectives of the cybercriminals were credential theft and the installation of web shells to ensure persistent access.
Ivanti has released patches for Connect Secure, but fixes for Policy Secure and Neurons for ZTA will only become available on January 21. Last year, the company faced criticism for delays in issuing updates, which left thousands of organizations vulnerable. Nominet has confirmed that it has already begun implementing the patches. Users of Ivanti products are strongly advised to update their software as soon as possible.
