- Ivanti uncovers two security vulnerabilities, including one critical-severity
- One of the flaws was being abused as a zero-day by a Chinese threat actor
- Researchers uncovered never-before-seen malware being deployed in the attack
Ivanti has warned customers of a critical vulnerability impacting its VPN appliances that is being actively exploited in the wild to drop malware.
In a security advisory, Ivanti said that it uncovered two vulnerabilities recently – CVE-2025-0282 and CVE-2025-0283, both of which are impacting Ivanti Connect Secure VPN appliances.
The former seems to be the more dangerous of the two. It is given a severity score of 9.0 (critical), and is described as an unauthenticated stack-based buffer overflow. “Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network,” it was said.
The second vulnerability, also a stack-based buffer overflow, comes with a 7.0 severity score (high).
New malware deployed
The company urged customers to apply the patch immediately, and provided further details about the threat actors and their tools.
In partnership with security researchers at Mandiant, Ivanti determined the first vulnerability has been abused in the wild as a zero-day, most likely by multiple threat actors.
In at least one of the compromised VPNs, Mandiant found the threat actors deploying the SPAWN ecosystem of malware (including SPAWNANT installer, SPAWNMOLE tunneler, and SPAWNSNAIL SSH backdoor).
The group behind this attack was identified as UNC5221, which is apparently, a China-nexus espionage group, active since at least December 2023.
In the past, UNC5221 has been linked to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances, targeting organizations in telecommunications, healthcare, and public sectors. The group focuses on data exfiltration and espionage.
Mendiant has also seen crooks drop previously unseen malware, now tracked as DRYHOOK and PHASEJAM. They were not able to attribute these families to any known threat actor.
“It is possible that multiple actors are responsible for the creation and deployment of these various code families (i.e. SPAWN, DRYHOOK and PHASEJAM), but as of publishing this report, we don’t have enough data to accurately assess the number of threat actors targeting CVE-2025-0282,” Ivanti said in the report.