- Ivanti discovers two security vulnerabilities, including one of critical severity
- One of the vulnerabilities was the misuse of Zero Day by a Chinese threat actor.
- Researchers discovered previously unreleased malware deployed in the attack.
Ivanti has warned customers of a critical vulnerability affecting its VPN appliances, which is being actively exploited to remove malware.
In a security advisory, Ivanti said it recently discovered two vulnerabilities: CVE-2025-0282 and CVE-2025-0283, both of which affect Ivanti Connect Secure VPN appliances.
The first seems to be the more dangerous of the two. It receives a severity score of 9.0 (critical) and is described as an unauthenticated stack-based buffer overflow. “Successful exploitation could result in unauthenticated remote code execution, which could compromise the victim’s network downstream,” he said.
The second vulnerability, also a stack-based buffer overflow, has a severity score of 7.0 (high).
New malware deployed
The company urged its customers to apply the patch immediately and provided more details about the threat actors and their tools.
In partnership with security researchers at Mandiant, Ivanti determined that the first vulnerability had been wildly exploited as a Zero Day vulnerability, most likely by multiple malicious actors.
In at least one of the compromised VPNs, Mandiant discovered that malicious actors were deploying the SPAWN malware ecosystem (including the SPAWNANT installer, the SPAWNMOLE tunneler, and the SPAWNSNAIL SSH backdoor).
The group behind this attack has been identified as UNC5221, which is apparently a China-linked espionage group active since at least December 2023.
In the past, UNC5221 has been linked to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances, targeting organizations in the telecommunications, healthcare, and government sectors. The group focuses on data exfiltration and espionage.
Beggar has also seen scammers launch previously unreleased malware, now tracked as DRYHOOK and PHASEJAM. They could not attribute these families to any known threat actor.
“It is possible that multiple actors are responsible for the creation and deployment of these different code families (i.e. SPAWN, DRYHOOK, and PHASEJAM), but at the time of publishing this report, we do not have enough data to accurately assess the number of threat actors. targeting CVE-2025-0282,” Ivanti said in the report.
