The zero-day attacks exploiting the Ivanti Connect Secure (ICS) vulnerability (CVE-2025-0282) were initially detected in mid-December 2024 by researchers at Mandiant. While the exact identity of the threat actor(s) behind the attacks remains unclear, the use of known malware on compromised VPN appliances suggests the involvement of China-linked espionage groups UNC5337 and UNC5221, who have a history of exploiting ICS vulnerabilities on multiple occasions in recent years.
According to the researchers at Mandiant, defenders should be on high alert for widespread exploitation aimed at stealing credentials and establishing persistent access through the deployment of web shells. They also warned that if proof-of-concept exploits for CVE-2025-0282 are made public, it is likely that other threat actors will try to target Ivanti Connect Secure appliances as well.
In their analysis of the compromised ICS appliances, Mandiant’s analysts discovered that the attackers used various malware and techniques for network reconnaissance and lateral movement within the affected organizations. One of the malware families deployed by the attackers was SPAWN, which included several components such as installer, tunneler, backdoor, and log tampering utility. Additionally, the attackers used previously unseen malware named DRYHOOK and PHASEJAM for credential theft and web shell deployment, respectively.
Before exploiting the CVE-2025-0282 vulnerability, the attackers probed the targeted appliances to gather information about their software version. While the vulnerability affects multiple patch levels of ICS release 22.7R2, successful exploitation is version-specific, requiring a series of steps including disabling SELinux, remounting the drive as read-write, deploying web shells, and removing specific log entries to cover their tracks.
To mitigate the threat posed by these attacks, Ivanti recommends using the Integrity Checker Tool to detect any malicious modifications on the appliances. Mandiant has also provided indicators of compromise and YARA rules to help organizations identify the presence of the malware used by the attackers. Additionally, CISA’s directives to US federal civilian agencies emphasize the importance of performing a factory reset on affected appliances before installing a patched version to ensure complete remediation.
The persistence mechanisms employed by the malware highlight the need for thorough remediation efforts to eliminate any residual threats. By following the guidance provided by security experts and implementing proactive measures, organizations can better defend against and respond to sophisticated cyber threats such as the Ivanti Connect Secure zero-day attacks.