Mandiant recently discovered a zero-day attack against Ivanti Connect Secure VPN appliances, directly linking the incident to UNC5337, a threat actor with ties to previous exploits involving Ivanti products. According to Mandiant’s findings, the attack targeted a vulnerability known as CVE-2025-0282, which was disclosed by Ivanti on Wednesday. The company urged users to promptly apply available patches to prevent further exploitation.
The exploit activity for CVE-2025-0282 was first detected in mid-December, leading Mandiant to identify UNC5337 as the responsible party. This threat actor has a history of targeting Ivanti products, with previous attacks dating back to January 2024. Mandiant highlighted UNC5337’s involvement in deploying the SPAWN ecosystem of malware on Ivanti Connect Secure appliances, showcasing a pattern of malicious behavior.
While Mandiant did not definitively attribute the recent zero-day attacks to UNC5337, the previous deployment of Spawn malware on Ivanti Secure Connect appliances was linked to the threat actor with a high degree of confidence. The company also assessed that UNC5337 is likely associated with UNC5221, another China-nexus group known for exploiting vulnerabilities in Ivanti products.
In addition to exploiting CVE-2025-0282, the threat actor behind the attack utilized various techniques to evade detection and maintain persistence on compromised systems. One such method, dubbed “Phasejam,” allowed the threat actor to prevent legitimate system upgrades by misleading administrators with a fake progress bar. This strategy ensured that any backdoors or tools left by the threat actor remained active on the system, even after attempted upgrades.
Mandiant warned users to remain vigilant against opportunistic exploitation, as threat actors may leverage web shells to maintain access to compromised systems. The company also emphasized the importance of utilizing detection tools to identify post-exploitation activity and recommended running the Integrity Checker Tool provided by Ivanti.
Collaborating closely with Ivanti, government partners, and security vendors, Mandiant has been actively working to address the attack campaign. While Ivanti reported that only a limited number of customers were affected by the exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog, setting a deadline for federal agencies to address the flaw.
CISA issued an alert to emphasize the importance of addressing the security vulnerabilities in Ivanti products, highlighting the risks associated with CVE-2025-0282. The agency advised organizations to take immediate action to mitigate the potential impact of the exploit, including running the Integrity Checker Tool and monitoring authentication services for any signs of compromise.
As the investigation into the zero-day attack continues, security experts stress the need for proactive measures to protect against similar incidents in the future. By staying informed and implementing effective security protocols, organizations can reduce their exposure to threats and safeguard their systems against potential exploitation.