In a recent disclosure by Ivanti, a critical buffer overflow vulnerability (CVE-2025-0282) affecting Connect Secure VPN appliances has been brought to light. This vulnerability stems from the improper handling of the strncpy function within the web server component, allowing malicious actors to remotely execute arbitrary code. The exploitation of this vulnerability was first detected in Japan in December 2024, even before Ivanti issued an official advisory. Researchers identified the malware responsible for exploiting this flaw as a new variant of the SPAWN malware family, named “SPAWNCHIMERA,” which not only takes advantage of the vulnerability but also deploys a self-contained fix to prevent other attackers from utilizing the same vulnerability.
SPAWNCHIMERA represents a more advanced iteration of previous SPAWN malware variants (such as SPAWNANT, SPAWNMOLE, and SPAWNSNAIL), incorporating their functionalities into a sophisticated modular framework. Its main objectives include maintaining persistent access to compromised systems, facilitating lateral movement, and intercepting network traffic via injected processes.
Researchers have observed several enhancements in SPAWNCHIMERA, including refined UNIX domain socket communication, improved XOR-based decoding routines for stealth, and the removal of debug messages to evade detection and analysis. What sets SPAWNCHIMERA apart is its unique feature of containing a built-in vulnerability patch that effectively neutralizes the buffer overflow flaw it exploits. By manipulating the strncpy function to restrict buffer copies to 256 bytes, the malware prevents overflow incidents. This method involves checking if the running process name matches the vulnerable service and automatically truncating any buffer operations that surpass the size limit. Moreover, the malware is programmed to allow selective exploitation if it detects a specific bypass signature in the source buffer, maintaining stealth while carrying out the attack undetected by security tools.
The unconventional strategy of exploiting and patching a vulnerability simultaneously presents a significant challenge for cybersecurity teams. It not only obstructs other threat actors from exploiting the same vulnerability but also complicates the identification and eradication of the malware’s persistence mechanisms for security teams inspecting compromised systems. Cybersecurity experts are urging prompt patching of Ivanti appliances and urging heightened vigilance for any suspicious artifacts, such as particular UNIX sockets and shared objects, to thwart further compromises.
In light of this complex threat landscape, organizations utilizing Ivanti’s Connect Secure VPN appliances must take immediate action to secure their systems and prevent potentially devastating cyberattacks. The evolving tactics of threat actors, exemplified by SPAWNCHIMERA, underscore the ongoing need for robust cybersecurity measures and proactive defense strategies to safeguard against sophisticated cyber threats.