In a recurring trend of cybersecurity threats targeting Ivanti remote access devices, a Chinese threat actor has once again exploited vulnerabilities in these appliances. This marks another wave of attacks on Ivanti products, adding to the long list of security flaws that have been discovered and exploited over the past year.
Last year, there were multiple high-profile vulnerabilities affecting Ivanti appliances, including an authentication bypass in its Virtual Traffic Manager (vTM), a SQL injection bug in its Endpoint Manager, vulnerabilities in its Cloud Services Appliance (CSA), critical issues with its Standalone Sentry and Neurons for IT Service Management (ITSM), and dozens more. These vulnerabilities exposed Ivanti devices to potential exploitation and compromise, leading to concerns about the overall security of the devices.
The latest threat targeting Ivanti devices began last year, with the discovery of two serious vulnerabilities in Ivanti’s Connect Secure (ICS) and Policy Secure gateways. These vulnerabilities were found to be actively exploited by a suspected Chinese-nexus threat actor known as UNC5337, believed to be associated with UNC5221.
A year later, Ivanti is once again under siege by threat actors, with a new critical vulnerability in ICS that also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Additionally, a slightly less severe bug has also been identified by Ivanti, though it has not yet been observed in active exploits.
Security experts, including Arctic Wolf CISO Adam Marrè, emphasize the sophistication of the threat actors behind these attacks. Marrè highlights the challenges of secure engineering and the evolving tactics used by cybercriminals to exploit vulnerabilities in complex systems like Ivanti devices.
Recent research has uncovered two more security bugs in Ivanti devices, with CVE-2025-0283 posing a buffer overflow risk in ICS, Policy Secure, and Neurons for ZTA gateways. Another critical vulnerability, CVE-2025-0282, allows for code execution as root without authentication. Threat actors have been actively exploiting this vulnerability, deploying malware families such as SpawnAnt, SpawnMole, SpawnSnail, and SpawnSloth to compromise devices.
The threat actors behind these attacks have demonstrated a deep understanding of Ivanti devices, deploying bespoke malware like DryHook and PhaseJam to steal credentials and enable remote command execution. The persistence of these malware strains poses a significant challenge to defenders trying to secure vulnerable devices.
Data from The ShadowServer Foundation indicates that over 2,000 ICS instances could be vulnerable to these attacks, with a concentration in the US, France, and Spain. Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA) have issued mitigation instructions for CVE-2025-0282, urging network defenders to run Ivanti’s Integrity Checker Tool (ICT) and apply patches promptly.
While Ivanti has released patches for the vulnerabilities affecting Connect Secure, Policy Secure, and ZTA gateways, some devices may not receive patches until January 21. Administrators are urged to prioritize security updates to mitigate the risk of exploitation and ensure the integrity of their network infrastructure.
Security experts stress the importance of timely patching and proactive measures to defend against evolving threats targeting Ivanti devices. Organizations that act promptly in response to these vulnerabilities are better equipped to protect their systems and minimize the impact of potential breaches. The complex nature of cybersecurity threats underscores the need for continuous vigilance and a robust, layered approach to security in today’s digital landscape.