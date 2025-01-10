Security supplier Ivanti has once again found itself at the centre of an expanding series of breaches after it emerged that two freshly disclosed vulnerabilities in a number of its products are likely being exploited by China-backed threat actors.

The vulnerabilities in question – which are designated CVE-2025-0282 and CVE-2025-0283 – affect Ivanti’s Connect Secure, Policy Secure and Neurons for ZTA gateway products.

Exploitation of the first enables a threat actor to achieve unauthenticated remote code execution (RCE), and exploitation of the second enables a locally authenticated attacker to escalate their privileges.

CVE-2025-0282 is officially a zero-day, and has already been added to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalogue. In the UK, a spokesperson for the National Cyber Security Centre (NCSC), said: “The NCSC is working to fully understand the UK impact and investigating cases of active exploitation affecting UK networks.”

In the real world, Ivanti said, a limited number of users of its Connect Secure appliances have been affected by CVE-2025-0282 as of Thursday 9 January 2025. However, no users of Policy Secure or ZTA gateways have been impacted, and as of 9 January, there was no conclusive evidence that CVE-2025-0283 had been exploited at all.

A patch is now available for both CVEs in Connect Secure, but for now, they both remain unpatched in Policy Secure and Neurons for ZTA, with a fix not expected until 21 January.

An Ivanti spokesperson said: “We continue to work closely with affected customers, external security partners, and law enforcement agencies as we respond to this threat. We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cyber security to ensure the integrity and security of the entire network infrastructure.

“We have made additional resources and support teams available to assist customers in implementing the patch and addressing any concerns.

“Thank you to our customers and security partners for their engagement and support, which enabled our swift detection and response to this issue,” they added. “We remain committed to continuously improving our products and processes through collaboration and transparency.

“This incident serves as a reminder of the importance of continuous monitoring and proactive and layered security measures, particularly for edge devices (such as VPNs) which provide an essential service as the initial access point to a corporate network – but which are also highly appealing to attackers.”

Latest connection to China According to Google Cloud's Mandiant, which has been working alongside Ivanti on investigation and remediation, in at least once instance a threat actor has managed to use the flaws to deploy elements of the SPAWN malware ecosystem, including SPAWNMOLE, a tunneller, and SPAWNSNAIL, an SSH backdoor. Mandiant’s researchers said use of these malwares following the targeting of Ivanti products has been attributed to the UNC5337 threat activity cluster, which is linked to UNC5221, a suspected China-nexus espionage group that is known to have exploited other Ivanti vulnerabilities in early 2024. Writing on LinkedIn, Mandiant chief technology officer Charles Carmakal described UNC5221’s latest campaign as developing and still under analysis, and hinted that there may be other threat actors in the mix. Describing a “potential mass exploitation” scenario, he urged Ivanti users to prioritise applying the new patches immediately. However, he warned, this process may not be without risk. “The threat actor implemented a novel technique to trick administrators into thinking they’ve successfully upgraded a system,” wrote Carmakal. “The threat actor deployed malware which blocks legitimate system upgrades while simultaneously displaying a fake upgrade progress bar. This creates a convincing facade of a successful update, when in reality, the malware silently prevents the actual upgrade from taking place. Some organisations may assume they’ve addressed the vulnerability when they actually haven’t.” He added that the attackers may also have fiddled with Ivanti’s on-board Integrity Checker Tool – designed to help users identify compromises – to hide evidence of their malware’s presence.