- Ivanti discovers two security vulnerabilities, including one of critical severity
- One of the flaws was that it was abused as a zero-day by a Chinese threat actor.
- Researchers discovered never-before-seen malware was deployed in the attack
Ivanti has warned customers about a critical vulnerability affecting their VPN devices that is being actively exploited to deliver malware.
In a security advisory, Ivanti said it recently discovered two vulnerabilities: CVE-2025-0282 and CVE-2025-0283, both of which are affecting Ivanti Connect Secure VPN devices.
The first appears to be the more dangerous of the two. It is assigned a severity score of 9.0 (critical) and is described as an unauthenticated stack-based buffer overflow. “A successful exploit could result in remote execution of unauthenticated code, leading to potential subsequent compromise of the victim's network,” it said.
The second vulnerability, also a stack-based buffer overflow, has a severity score of 7.0 (high).
New malware deployed
The company urged customers to apply the patch immediately and provided more details about the threat actors and their tools.
Partnering with Mandiant security researchers, Ivanti determined that the first vulnerability has been abused in the wild as a zero-day, most likely by multiple threat actors.
On at least one of the compromised VPNs, Mandiant found threat actors deploying the SPAWN malware ecosystem (including the SPAWNANT installer, SPAWNMOLE tunneler, and SPAWNSNAIL SSH backdoor).
The group behind this attack was identified as UNC5221, which is apparently a China nexus espionage group, active since at least December 2023.
In the past, UNC5221 has been linked to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN devices, targeting organizations in the public, healthcare, and telecommunications sectors. The group focuses on data exfiltration and espionage.
Mendiant has also seen criminals release never-before-seen malware, now tracked as DRYHOOK and PHASEJAM. They were unable to attribute these families to any known threat actors.
“It is possible that multiple actors are responsible for the creation and deployment of these various code families (i.e. SPAWN, DRYHOOK, and PHASEJAM), but at the time of publishing this report, we do not have sufficient data to accurately assess the number of threat actors. targeting CVE-2025-0282,” Ivanti said in the report.