Home > Security > Security News

New Ivanti VPN Zero-Day Exploit Suspected to Come from China-Backed Cyber Spies

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
China State Sponsered Spies

The exploitation of a newly patched Ivanti VPN zero-day vulnerability is reportedly attributed to Chinese cyber spies. Ivanti recently patched two vulnerabilities in its Connect Secure (ICS) VPN appliances — CVE-2025-0282 and CVE-2025-0283. 

CVE-2025-0282, identified as a critical stack-based buffer overflow, enables unauthenticated remote attackers to execute arbitrary code. The company warned that the vulnerability had been actively exploited against a limited number of customers, though it shared minimal information on the observed attacks.

Mandiant confirmed the exploitation of CVE-2025-0282 by Chinese-linked threat actors. Initial exploitation activity was observed in mid-December 2024, with attackers using a malware family called Spawn. 

Spawn includes various components, such as the SpawnAnt installer, SpawnMole tunneler, and SpawnSnail SSH backdoor — tools previously attributed to UNC5337, a Chinese espionage group.

Mandiant’s analysis suggests, with medium confidence, that UNC5337 is a subset of a broader Chinese threat group labeled UNC5221. This group had been previously linked to exploiting Ivanti vulnerabilities like CVE-2023-46805 and CVE-2024-21887, targeting organizations such as MITRE and CISA.

The attacks leveraging CVE-2025-0282 also involved new malware families named DryHook and PhaseJam. These malware strains have not yet been attributed to a specific threat group. 

The PhaseJam malware operates as a dropper, modifying ICS components, deploying web shells, and overwriting executables to execute arbitrary commands. It provides an initial foothold for attackers to execute commands, upload files, and exfiltrate data.

Utilized post-exploitation, the DryHook malware is tasked with stealing credentials from compromised systems.

Attackers further enhanced persistence across system upgrades with the SpawnAnt malware, storing components in a dedicated upgrade partition. Notably, PhaseJam also blocks legitimate system upgrades, displaying a fake upgrade progress bar to the user to avoid suspicion.

The attackers sent requests to identify ICS software versions and then leveraged CVE-2025-0282 to disable SELinux, modify configurations, execute custom scripts, and deploy web shells, ultimately laying the groundwork for malware deployment.

CISA has since added CVE-2025-0282 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies patch the vulnerability by January 15, 2025.

Mandiant has raised concerns that if proof-of-concept (PoC) exploits for CVE-2025-0282 are created and disseminated publicly, additional threat actors may leverage the vulnerability.

Ivanti has rolled out fixes for Connect Secure, though its Policy Secure and Neurons for ZTA gateways remain impacted. Patches for these products are scheduled for release on January 21, 2025.

Organizations using Ivanti products are strongly advised to deploy security patches immediately and monitor their systems for indicators of compromise to avoid exposure to sophisticated cyber espionage campaigns.


Add a Comment
Related
Mitel and Oracle Systems Flaws Under Active Exploitation, CISA Warns
License Plate Camera Reader
US License Plate Readers Leak Live Streams and Vehicle Data due to Misconfiguration
Redis
Critical Redis Server Flaws Allow Remote Code Execution and DoS Attacks
AWS
AWS Tools and Stolen Credentials Exploited by EC2 Grouper Hackers Targeting Cloud Environments
Hacker in Red and with glasses and artistic look
Novel ‘DoubleClickjacking’ Attack Aims at Website Compromise and Account Takeover 
7Zip
Hacker Leaks Alleged Proof-of-Concept for Zero-Day Vulnerability in 7-Zip
Most Popular
Nike
Over 42M Log Entries from Nike Lottery User Data May Be for Sale on Hacker Forum
Rory McCann (Credit- Game of Thrones) and Ray Stevenson (Credit- Ahsoka)
Ahsoka Season 2: Game of Thrones Actor Rory McCann Replacing the Late Ray Stevenson
The Traitors
The Traitors Season 3: Boston Rob and 2 more join plus 4 Traitors Named!
Reacher
All we know About Reacher Season 3
MTV The Challenge
Who won MTV The Challenge Season 40?
Shows shut down due to the L.A. fires 2025
From Fallout to Grey’s Anatomy: What TV and Movie Productions Shutdown due to the L.A. Fires?
Over 42M Log Entries from Nike Lottery User Data May Be for Sale on Hacker Forum
Ahsoka Season 2: Game of Thrones Actor Rory McCann Replacing the Late Ray Stevenson
The Traitors Season 3: Boston Rob and 2 more join plus 4 Traitors Named!
All we know About Reacher Season 3
Who won MTV The Challenge Season 40?
From Fallout to Grey’s Anatomy: What TV and Movie Productions Shutdown due to the L.A. Fires?

Most Popular
Nike
Over 42M Log Entries from Nike Lottery User Data May Be for Sale on Hacker Forum
Rory McCann (Credit- Game of Thrones) and Ray Stevenson (Credit- Ahsoka)
Ahsoka Season 2: Game of Thrones Actor Rory McCann Replacing the Late Ray Stevenson
The Traitors
The Traitors Season 3: Boston Rob and 2 more join plus 4 Traitors Named!
Reacher
All we know About Reacher Season 3
MTV The Challenge
Who won MTV The Challenge Season 40?
Shows shut down due to the L.A. fires 2025
From Fallout to Grey’s Anatomy: What TV and Movie Productions Shutdown due to the L.A. Fires?
Over 42M Log Entries from Nike Lottery User Data May Be for Sale on Hacker Forum
Ahsoka Season 2: Game of Thrones Actor Rory McCann Replacing the Late Ray Stevenson
The Traitors Season 3: Boston Rob and 2 more join plus 4 Traitors Named!
All we know About Reacher Season 3
Who won MTV The Challenge Season 40?
From Fallout to Grey’s Anatomy: What TV and Movie Productions Shutdown due to the L.A. Fires?

© 2025 TechNadu, a part of Leaprove Media LLP. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: