Researchers from Google’s Mandiant division have uncovered a critical remote code execution vulnerability that was recently patched by software vendor Ivanti. According to Mandiant, this vulnerability has been exploited by a Chinese cyberespionage group since mid-December. The same group has a history of exploiting zero-day vulnerabilities in Ivanti Connect Secure appliances dating back to January 2024.
The attacks exploiting the newly patched CVE-2025-0282 flaw involved the deployment of multiple malware components from a toolkit known as SPAWN. Mandiant has linked this toolkit to a cluster of activity known as UNC5337, which they suspect is related to another group tracked as UNC5221. UNC5221, a suspected China-based espionage actor, has previously exploited vulnerabilities in Ivanti Connect Secure VPN appliances as early as December 2023. Mandiant has also observed UNC5221 using a compromised network of Cyberoam appliances to facilitate intrusion operations.
The SPAWN toolkit includes various custom malware tools designed to interact with Connect Secure features and code. Some of the tools include the SPAWNANT installer, SPAWNMOLE tunneler, SPAWNSNAIL SSH backdoor, and the SPAWNSLOTH log tampering utility. In addition to these known tools, the recent attacks also featured new components such as a credential harvester named DRYHOOK and a malware dropper called PHASEJAM.
Ivanti has issued a security advisory instructing customers to perform a factory reset on their appliances before deploying the patched 22.7R2.5 version. The reason for this reset, according to Mandiant’s analysis, is due to the PHASEJAM dropper which modifies legitimate Connect Secure components to block and simulate upgrades in a visually convincing manner. The dropper even displays a fake new version number at the end of the simulated upgrade process to deceive users.
The ongoing exploitation of vulnerabilities in Ivanti appliances by this Chinese cyberespionage group highlights the persistent threat posed by sophisticated threat actors. It also underscores the importance of timely patching and proactive security measures to protect against such attacks. Organizations using Ivanti products are urged to follow Ivanti’s security advisory and update their systems to mitigate the risk of falling victim to these attacks.
In conclusion, the evolving nature of cyber threats requires constant vigilance and collaboration between security researchers, vendors, and organizations to defend against malicious actors seeking to exploit vulnerabilities for their gain. By staying informed and taking proactive steps to secure their systems, enterprises can better protect themselves from the growing cyber threat landscape.