What happened?
On 8th January 2025, technology company Ivanti disclosed two critical vulnerabilities, CVE-2025-0282 and CVE-2025-02831, affecting their Connect Secure VPN appliances. The more severe of the two, CVE-2025-0282, is a vulnerability that allows for unauthenticated remote code execution. This vulnerability has been actively exploited since mid-December 2024, leading to potential network compromises.
The exploitation process involved disabling security features, remounting drives to allow writing, and deploying web shells for remote access. Mandiant observed the use of malware families DRYHOOK and PHASEJAM, which were not at the time of reporting attributed to any known group.
Additionally, the SPAWN group of malware, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL, had been used. This was attributed to a group designated the name "UNC5337" by Google Mandiant and thought to be part of a broader group, suspected of China-nexus espionage activities named "UNC5221".
The attackers demonstrated sophisticated techniques to maintain persistence, including simulating system upgrades and modifying system files to avoid detection by Ivanti's Integrity Checker Tool (ICT). They were also observed performing network reconnaissance, credential harvesting, and database theft, indicating a high level of threat to compromised networks.2
So what?
Defenders should anticipate and be prepared for broad and opportunistic exploitation efforts, which are expected to focus on credential theft and the establishment of web shells for sustained access. Furthermore, should proof-of-concept exploits for CVE-2025-0282 become available, It is likely that more threat actors will engage in attempts to compromise Ivanti Connect Secure appliances.
Ivanti have provided guidance to use their Integrity Checker Tool to identify unusual activity, and to contact their support team if so. While this is a good first step, it may not detect malware or Indicators of Compromise (IOCs) and the tool should be run alongside other security monitoring tools. IOCs are provided in the appendix.
If compromise is detected, Ivanti recommend a factory reset of the appliance and to then put the appliance back into production using version 22.7R2.5.
More broadly, the exploitation of edge appliances such as these are a favoured tactic for threat actors and therefore due care should be taken to monitor and protect these as further vulnerabilities and exploitation are almost certain.