- Cisa warns new malware targeting vulnerable Ivanti products
- Several products, vulnerable to a 2024 flaw, are targeted
- Malware can create web shells, harvest references and more
Several Ivanti products are targeted by an element of malware called resurgeted, a new security advice published by the US Cybersecurity and Infrastructure Security Agency (CISA), said both malware and vulnerability exploited to deploy it.
Resurge is a variant of spawnchimera, a part of malware targeting the Ivanti Connect secure devices, allowing unauthorized access and persistent control on vulnerable termination points.
Although Resurgement can also survive the restarts, malware can also create web shells, manipulate integrity checks, modify files and use web shells to collect identification information, create accounts, reset passwords and degenerate authorizations.
Risks of execution of the remote code
In addition, Resurge can copy the web shell to the Ivanti enrollment start -up disk and manipulate the current Coreboot image.
To infect the devices by Reurge, the actors of the threat abuse from the CVE-2025-0282, a vulnerability of buffer overflow based on the battery in Ivanti Secure, Policy Secure and will not for the ZTA bridges. It allows non-authenticated distant attackers to execute arbitrary code and has been exploited in nature since mid-December 2024.
Cisa added the threat to its KEV catalog in early January 2025, noting that the vulnerable software includes Ivanti Connect Secure (before version 22.7R2.5), the Ivanti Secure policy (before version 22.7R1.2) and the Ivanti neurons for ZTA bridges (before version 22.7R2.3).
There are a number of things that companies could do to mitigate the risk, said CISA.
“For the highest level of confidence, make a factory reset,” explains the opinion. “For cloud and virtual systems, make factory reset using a clean external image of the device.”
In addition, users must reset the identification information for privileged and non -privileged accounts, reset passwords for all users in the field and all local accounts, examine access policies to temporarily revoke privileges / access for assigned devices, reset identification information or relevant access keys, and monitor related accounts, in particular administration accounts.
Via The register
