Chinese threat actor exploiting Ivanti remote access devices at large has once again come under the spotlight in the cybersecurity realm. The recurrent exploitation of vulnerabilities in Ivanti devices by threat actors has raised concerns among cybersecurity experts and practitioners worldwide. The trend of targeting Ivanti appliances with sophisticated cyber attacks has been prevalent over the past year, with multiple high-profile vulnerabilities surfacing, including critical issues in Virtual Traffic Manager (vTM), Endpoint Manager, and Cloud Services Appliance (CSA), among others.
The series of vulnerabilities in Ivanti devices began with the discovery of two serious flaws in Ivanti’s Connect Secure (ICS) and Policy Secure gateways in January last year. These vulnerabilities were swiftly exploited by the Chinese-nexus threat actor UNC5337, linked to UNC5221, highlighting the sophistication and persistence of cyber threats in the digital landscape.
Fast forward to the present, UNC5337 has resurfaced with a fresh critical vulnerability in Ivanti’s ICS, extending its reach to Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti has also cautioned users about a second, slightly less severe bug that has not yet been leveraged in attacks. The return of UNC5337 to exploit Ivanti devices underscores the continuous threat landscape in cyberspace and the importance of vigilance and proactive security measures.
Arctic Wolf CISO Adam Marrè emphasized the complexity of cyber threats, noting that even with secure-by-design principles in place, determined threat actors can find ways to breach systems using innovative technologies and techniques. Marrè stressed the challenges of secure engineering and the critical need for organizations to adopt robust cybersecurity practices to mitigate risks effectively.
The uncaptured vulnerability, CVE-2025-0283, presents a buffer overflow opportunity in ICS, Policy Secure, and Neurons for ZTA gateways, potentially enabling attackers to escalate their privileges on targeted devices. On the other hand, CVE-2025-0282, rated critically high in the Common Vulnerability Scoring System (CVSS), allows for unauthorized code execution as root without authentication. Ivanti recently disclosed these vulnerabilities and urged users to apply patches promptly to secure their systems against potential exploits.
Mandiant’s findings revealed UNC5337’s exploitation of CVE-2025-0282 using the “Spawn” malware family, including tools like SpawnAnt, SpawnMole, SpawnSnail, and SpawnSloth. These malware variants demonstrate a deep understanding of Ivanti Connect Secure appliances, showcasing the threat actor’s proficiency in targeting specific vulnerabilities for malicious purposes.
Additionally, Mandiant observed two other distinct malware strains, DryHook and PhaseJam, potentially deployed by UNC5337 or another threat actor in the cyber campaign. DryHook focuses on credential theft, while PhaseJam enables remote command execution and evades system upgrades using deceptive tactics, highlighting the evolving strategies of threat actors to evade detection and prolong compromise.
The prevalence of vulnerable ICS instances, as highlighted by The ShadowServer Foundation data, underscores the urgent need for organizations to update and secure their Ivanti devices promptly. Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have issued mitigation instructions for CVE-2025-0282, emphasizing the criticality of running Ivanti’s Integrity Checker Tool (ICT) and applying patches to safeguard against cyber threats effectively.
While Ivanti has released patches for Connect Secure vulnerabilities, Policy Secure and ZTA gateways are slated to receive updates later this month. It is essential for organizations to prioritize security updates and follow best practices to defend against potential exploits and safeguard critical assets from malicious actors.
In conclusion, the resurgence of UNC5337’s exploits on Ivanti devices underscores the persistent threats facing organizations in the digital age. By staying informed, implementing proactive security measures, and adhering to patch management best practices, organizations can enhance their cybersecurity posture and defend against evolving cyber threats effectively. The cybersecurity landscape demands continuous vigilance and collaboration to mitigate risks and safeguard digital assets from malicious actors in an increasingly interconnected world.