Ivanti warns of active attacks on Ivanti Secure Connect systems. Code smuggling can compromise networks.
Ivanti warns of active attacks on a critical vulnerability in the VPN software Ivanti Connect Secure (ICS). These and another vulnerability also affect Ivanti Policy Secure and Ivanti ZTA Gateways. Updates are available for ICS, but Ivanti has only announced updates for the other two products.
In a security advisory, Ivanti discusses details about the vulnerabilities. The company has discovered attacks on a stack-based buffer overflow that allows the malicious actors to inject and execute malicious code without prior registration (CVE-2025-0282, CVSS 9.0, risk “critical“). Ivanti does not discuss exactly what the attacks look like. A second vulnerability also exists in a stack-based buffer overflow that allows logged-in users to escalate their own privileges (CVE-2025-0283, CVSS 7.0, high). However, according to Ivanti, this vulnerability is not currently being abused.
Mandiant’s Attack Details
Google’s subsidiary Mandiant presents an initial analysis of the attacks in its own blog post. The attackers installed malware from the ecosystem called Spawn by Mandiant after successful attacks, but also malware families called Dryhook and Phasejam. The exploits for the vulnerability are version-specific for the individual patch levels of ICS. The malware then ends up providing tunnels, web shells, preventing updates, tapping access data and can cause further damage. Mandiant locates the attackers UNC5337 as a subgroup of UNC5221 in China, so it is an espionage group.
Ivanti speaks of knowing of a limited number of attacked customers. Mandiant explains that the attacks began in mid-December 2024. The analyses are still ongoing, the results so far are still preliminary. At the end of the article, Mandiant lists Indicators Of Compromise (IOCs) as well as helpful YARA rules that admins can use to examine their IT and be warned of attacks.
Ivanti explains that attacks on the CVE-2025-0282 vulnerability can be detected with the Integrity Checker Tool (ICT). Customers should closely monitor their internal and external ICTs as part of their security concept. Updated software is also available. Ivanti Connect Secure 22.7R2.5 plugs the vulnerability in the vulnerable versions 22.7R2 to 22.7R.4 as well as 9.1R18.9 and previous versions. Ivanti Policy Secure is also vulnerable, but is not said to be exposed on the Internet. Ivanti ZTA Gateways are only vulnerable if they are not “in production”. However, if a gateway is created with it and not connected to the ZTA controller, an exploit is possible. A software patch is also to be available for this on January 21.
