BlogsCritical Zero Day Threatens Ivanti VPN Systems

Critical Zero Day Threatens Ivanti VPN Systems

Critical zero-day vulnerability in Ivanti Connect Secure VPN appliances enables unauthenticated remote code execution, with active exploitation by suspected Chinese threat actors deploying sophisticated malware.

Overview

A critical zero-day vulnerability (CVE-2025-0282) in Ivanti Connect Secure VPN appliances is being actively exploited since December 2024. The flaw enables unauthenticated remote code execution through a stack-based buffer overflow vulnerability with a CVSS score of 9.0

Key Findings

  1. Multiple threat actors including China-linked UNC5337 are exploiting the vulnerability
  1. Mandiant has identified new malware families including SPAWN ecosystem, DRYHOOK, and PHASEJAM
  1. The exploit enables deployment of SPAWNANT installer, SPAWNMOLE tunneler, and SPAWNSNAIL SSH backdoor

Risk Analysis

  • Probability: High - Active exploitation observed
  • Impact: Critical - Enables complete system compromise
  • Exposure: Global - All unpatched Ivanti Connect Secure appliances
  • Detection: Medium - Identified through Mandiant threat intelligence

Action Items

  • Immediately patch affected systems
  • Monitor for indicators of compromise
  • Implement network segmentation
  • Enable enhanced logging and monitoring
Share this article

Stay up to date

Join my community and receive the latest risk news and trends.

ResourcesLegal