Skip to main content

Threat Intelligence Report: Ivanti Connect Secure Zero-Day Exploitation and Resurge Malware (CVE-2025-0282)

·5 mins

Ivanti Logo

CISO Executive Summary #

Overview #

CVE-2025-0282 represents a critical zero-day vulnerability in Ivanti Connect Secure VPN appliances that was actively exploited by Chinese nation-state actors from mid-December 2024. The vulnerability, a stack-based buffer overflow allowing unauthenticated remote code execution, enabled the deployment of sophisticated malware including the advanced Resurge rootkit and the SPAWN malware ecosystem. With 379 organizations confirmed compromised by late January 2025, this incident highlights the severe risks posed to critical infrastructure and government networks.

Impact #

The exploitation of CVE-2025-0282 resulted in:

  • Critical Infrastructure Compromise: Widespread targeting of government agencies, healthcare systems, and essential services
  • Advanced Persistent Access: Deployment of rootkit-level malware with anti-forensic capabilities
  • Credential Harvesting: Mass extraction of VPN credentials and sensitive authentication data
  • Nation-State Attribution: Confirmed exploitation by Chinese APT group UNC5337 (merged with UNC5221)

Mitigation #

Organizations using Ivanti Connect Secure must take immediate action:

  1. Factory Reset Required: CISA recommends complete factory reset for highest confidence in malware removal
  2. Emergency Patching: Upgrade to version 22.7R2.5 or later immediately
  3. Comprehensive Hunting: Use Ivanti’s Integrity Checker Tool (ICT) to detect compromise
  4. Network Isolation: Isolate VPN appliances pending security verification

Engineering Breakdown #

CVE Details #

  • CVE ID: CVE-2025-0282
  • Severity: Critical
  • CVSS Score: 9.0 (Critical)
  • Vector: Network
  • Access Complexity: Low
  • Authentication: Not Required

Description #

CVE-2025-0282 is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3. The vulnerability enables attackers to execute arbitrary code remotely without authentication, providing complete control over the VPN appliance.

Technical Analysis #

Google Cloud Threat Intelligence Analysis #

According to Google Cloud’s threat intelligence team, the exploitation began in mid-December 2024 with sophisticated reconnaissance activities. Threat actors performed repeated requests to appliances to determine versions before attempting exploitation.

Mandiant Attribution Analysis #

Mandiant researchers identified UNC5337 as the primary threat group, later merging this cluster with UNC5221 to confirm suspected operational overlaps. The group demonstrates advanced persistent threat capabilities with focus on credential harvesting and long-term access maintenance.

CISA Malware Analysis #

The Cybersecurity and Infrastructure Security Agency provided detailed analysis of the Resurge malware, highlighting its advanced anti-forensic capabilities and improvements over previous SPAWN malware variants.

Exploitation Details #

Attack Chain Methodology #

The exploitation follows a consistent pattern:

  1. Version Reconnaissance: Repeated requests to determine appliance version
  2. Disable Security Controls: SELinux disabled to enable malware deployment
  3. Log Manipulation: Prevent syslog forwarding and remove specific log entries
  4. File System Preparation: Remount drive as read-write for malware installation
  5. Malware Deployment: Execute payload and deploy web shells
  6. Persistence Setup: Reenable SELinux after establishing backdoors

Malware Ecosystem #

Resurge Malware (“libdsupgrade.so”)

  • Advanced rootkit capabilities with integrity check manipulation
  • Web shell creation and credential harvesting
  • Account creation and privilege escalation
  • Improved successor to SPAWNCHIMERA with three new command capabilities

SPAWN Malware Family

  • SPAWNANT: Installer component
  • SPAWNMOLE: Network tunneling module
  • SPAWNSNAIL: SSH backdoor component
  • SPAWNCHIMERA: Monolithic variant combining all modules
  • SPAWNSLOTH: Log tampering variant

Additional Undocumented Malware

  • DRYHOOK: Previously unknown malware strain
  • PHASEJAM: Undocumented malware family
  • DSLOGDRAT: Japan-specific campaign malware

Threat Actor Attribution #

UNC5337 (Merged with UNC5221) #

Operational Characteristics:

  • Chinese nation-state affiliated
  • Focus on critical infrastructure and government targets
  • Advanced malware development capabilities
  • Long-term persistence and credential harvesting objectives

Historical Context:

  • Previously exploited other Ivanti vulnerabilities
  • Associated with broader Chinese cyber espionage campaigns
  • Demonstrates sophisticated anti-forensic techniques

Secondary Actors #

Silk Typhoon (formerly Hafnium):

  • Also exploited CVE-2025-0282
  • Microsoft-tracked China-linked threat group
  • Focus on Exchange and VPN infrastructure

Impact Assessment #

Compromise Statistics #

  • 379 Organizations: Confirmed compromised by Shadowserver Foundation
  • Critical Infrastructure: Government agencies, healthcare, energy sectors
  • Geographic Spread: Global targeting with emphasis on Five Eyes countries
  • Timeline: Active exploitation from mid-December 2024 through early 2025

Affected Systems #

  • Ivanti Connect Secure (all versions before 22.7R2.5)
  • Ivanti Policy Secure (all versions before 22.7R1.2)
  • Ivanti Neurons for ZTA gateways (all versions before 22.7R2.3)

Indicators of Compromise #

Network Indicators #

# Suspicious network traffic patterns
- Multiple version detection requests
- Unusual authentication bypass attempts
- Encrypted tunnel establishment to foreign IPs
- Abnormal certificate usage patterns

File System Indicators #

# Malware file paths
/home/lib/libdsupgrade.so (Resurge)
/tmp/spawn_* (SPAWN variants)
/var/log/modified_* (Log tampering evidence)

Process Indicators #

# Suspicious processes
- Unusual shell spawning from web services
- SELinux manipulation commands
- Credential dumping utilities
- Network tunneling processes

Recommendations for Organizations #

Immediate Response Actions #

  1. Factory Reset Protocol: Perform complete factory reset on all Ivanti appliances
  2. Version Verification: Confirm upgrade to version 22.7R2.5 or later
  3. Integrity Checking: Run Ivanti’s ICT tool for compromise detection
  4. Network Isolation: Quarantine suspected compromised devices

Detection and Hunting #

Hunt Queries #

Organizations should search for:

  • Unusual authentication patterns in VPN logs
  • Unexpected file modifications in /home/lib/ directory
  • SELinux disable/enable events in system logs
  • Suspicious network connections from VPN appliances

Monitoring Recommendations #

# Log analysis for exploitation indicators
grep -i "selinux.*disabled" /var/log/messages
find /home/lib -name "*.so" -type f -newer timestamp
netstat -tulpn | grep :443 | grep -v expected_processes

Long-term Security Improvements #

  1. Zero Trust VPN: Implement additional authentication layers
  2. Network Segmentation: Isolate VPN infrastructure
  3. Continuous Monitoring: Deploy advanced threat detection
  4. Incident Response: Update procedures for VPN compromise scenarios

Lessons Learned #

Supply Chain Risk #

The Ivanti compromise demonstrates critical risks in VPN infrastructure supply chains. Organizations must:

  • Diversify VPN solutions to avoid single points of failure
  • Implement additional security controls beyond VPN authentication
  • Maintain comprehensive inventory of network appliances

Nation-State Persistence #

The sophistication of the Resurge malware and SPAWN ecosystem highlights:

  • Advanced persistent threat capabilities of nation-state actors
  • Need for comprehensive forensic capabilities
  • Importance of assuming breach mentality

Conclusion #

The exploitation of CVE-2025-0282 by UNC5337 represents one of the most significant VPN infrastructure compromises in recent history. The deployment of advanced malware with rootkit capabilities and anti-forensic features demonstrates the evolving sophistication of nation-state cyber operations targeting critical infrastructure.

Organizations must prioritize the complete remediation of potentially compromised Ivanti appliances through factory reset procedures while implementing comprehensive monitoring and detection capabilities. The persistent nature of the deployed malware requires thorough investigation and ongoing vigilance.

The incident serves as a critical reminder of the importance of rapid patch deployment, comprehensive network monitoring, and the need for robust incident response capabilities in the face of advanced persistent threats.

Stay Vigilant