Mandiant has published new details regarding a zero-day vulnerability (CVE-2025-0282) that Ivanti disclosed and simultaneously patched, impacting its Ivanti Connect Secure VPN appliances.
Ivanti identified the compromise based on indications from the company-supplied Integrity Checker Tool along with other commercial security monitoring tools. In its current analysis, Mandiant observed CVE-2025-0282 has been exploited in the wild by a suspected China-nexus espionage actor beginning as early as December 2024.
While Mandiant can’t attribute the exploitation of CVE-2025-0282 to a specific threat actor at this time, the researchers have observed the same malware family (i.e. SPAWN) that was previously reported in April 2024 and is associated with UNC5337, which Mandiant assesses with moderate confidence is the same group tracked as UNC5221.
Mandiant notes that “it is possible that multiple actors are responsible for the creation and deployment” of the various malware families they’ve seen in their on-going investigations (i.e. SPAWN, DRYHOOK and PHASEJAM), but notes that “as of publishing this report, we don’t have enough data to accurately assess the number of threat actors targeting CVE-2025-0282.”
Successful exploitation of CVE-2025-0282 allows attackers:
- Remote Code Execution: Can lead to remote code execution, enabling attackers to take control of affected systems.
- Lateral Movement: Once compromised, attackers are moving laterally within networks to expand their access, which could result in downstream impact beyond the appliance.
- Persistent Backdoors: Attackers are installing backdoors to maintain access to compromised systems. Some backdoors have the capability to persist across system upgrades, which is why Ivanti’s guidance to affected customers is to perform a factory reset.
Two interesting tactics worth noting (Note: Mandiant currently doesn’t have enough data to determine which threat actor is executing these):
- After successfully exploiting CVE-2025-0282, the threat actor deploys the custom malware PHASEJAM to establish an initial foothold on the system and prevents system upgrades from installing, allowing for attempted persistent access across system upgrades.Anticipating that a failed upgrade install would draw more attention from the system admin, the threat actor instead renders a fake upgrade progress bar to trick an admin into thinking the attempted upgrade was installed correctly, but it silently blocks the legitimate upgrade process.
- Recent versions of Ivanti Connect Secure have a built-in integrity checker tool (ICT), which has been effective in identifying compromises related to this vulnerability. The ICT acts like a check engine light for the appliance that may light up to tell users that something is wrong, or acting strange. It periodically runs diagnostics on the appliance, constantly monitoring its vital signs for any anomalies or deviations from its known ‘healthy’ state.In some instances, the threat actor has attempted to edit the ICT’s manifest of ‘healthy files’ to include their malicious files and circumvent detection.
