natali_mis - stock.adobe.com
Mandiant: Latest Ivanti vulns exploited by Chinese cyber spooks
Threat actors are once again lining up to exploit vulnerabilities in the widely used Ivanti product suite, with a link to Chinese espionage activity firmed up by Mandiant analysts
Security supplier Ivanti has once again found itself at the centre of an expanding series of breaches after it emerged that two freshly disclosed vulnerabilities in a number of its products are likely being exploited by China-backed threat actors.
The vulnerabilities in question – which are designated CVE-2025-0282 and CVE-2025-0283 – affect Ivanti’s Connect Secure, Policy Secure and Neurons for ZTA gateway products.
Exploitation of the first enables a threat actor to achieve unauthenticated remote code execution (RCE), and exploitation of the second enables a locally authenticated attacker to escalate their privileges.
CVE-2025-0282 is officially a zero-day, and has already been added to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalogue. In the UK, a spokesperson for the National Cyber Security Centre (NCSC), said: “The NCSC is working to fully understand the UK impact and investigating cases of active exploitation affecting UK networks.”
In the real world, Ivanti said, a limited number of users of its Connect Secure appliances have been affected by CVE-2025-0282 as of Thursday 9 January 2025. However, no users of Policy Secure or ZTA gateways have been impacted, and as of 9 January, there was no conclusive evidence that CVE-2025-0283 had been exploited at all.
A patch is now available for both CVEs in Connect Secure, but for now, they both remain unpatched in Policy Secure and Neurons for ZTA, with a fix not expected until 21 January.
An Ivanti spokesperson said: “We continue to work closely with affected customers, external security partners, and law enforcement agencies as we respond to this threat. We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cyber security to ensure the integrity and security of the entire network infrastructure.
“We have made additional resources and support teams available to assist customers in implementing the patch and addressing any concerns.
“Thank you to our customers and security partners for their engagement and support, which enabled our swift detection and response to this issue,” they added. “We remain committed to continuously improving our products and processes through collaboration and transparency.
“This incident serves as a reminder of the importance of continuous monitoring and proactive and layered security measures, particularly for edge devices (such as VPNs) which provide an essential service as the initial access point to a corporate network – but which are also highly appealing to attackers.”
Latest connection to China
According to Google Cloud’s Mandiant, which has been working alongside Ivanti on investigation and remediation, in at least one instance, a threat actor has managed to use the flaws to deploy elements of the SPAWN malware ecosystem, including SPAWNMOLE, a tunneller, and SPAWNSNAIL, an SSH backdoor.
Mandiant’s researchers said use of these malwares following the targeting of Ivanti products has been attributed to the UNC5337 threat activity cluster, which is linked to UNC5221, a suspected China-nexus espionage group that is known to have exploited other Ivanti vulnerabilities in early 2024.
Writing on LinkedIn, Mandiant chief technology officer Charles Carmakal described UNC5221’s latest campaign as developing and still under analysis, and hinted that there may be other threat actors in the mix. Describing a “potential mass exploitation” scenario, he urged Ivanti users to prioritise applying the new patches immediately.
However, he warned, this process may not be without risk. “The threat actor implemented a novel technique to trick administrators into thinking they’ve successfully upgraded a system,” he wrote.
“The threat actor deployed malware which blocks legitimate system upgrades while simultaneously displaying a fake upgrade progress bar. This creates a convincing facade of a successful update, when in reality, the malware silently prevents the actual upgrade from taking place. Some organisations may assume they’ve addressed the vulnerability when they actually haven’t.”
He added that the attackers may also have fiddled with Ivanti’s on-board Integrity Checker Tool – designed to help users identify compromises – to hide evidence of their malware’s presence.
‘Take this seriously’
Benjamin Harris, CEO of WatchTowr, an attack surface management specialist, urged Ivanti users to pay close attention to the latest developments.
“Our concern is significant as this has all the hallmarks of APT usage of a zero-day against a mission-critical appliance,” he said. “It also resembles the behaviour and drama circulating Ivanti products that we as an industry saw in January 2024, and we can only hope that Ivanti has learned from that experience with regard to actioning an effective response.”
Harris added that the lack of patches across the full affected product stack should be an additional concern.
“Ivanti Connect Secure users have a patch available, but once again – patches for other affected appliances like Ivanti’s Policy Secure and Neurons for ZTA gateways are left waiting three weeks for a patch. Users of these products should not hesitate – these appliances should be pulled offline until patches are available,” he said.
“WatchTowr client or not – we urge everyone to please take this seriously. Throw your vulnerability SLAs into the proverbial wind in situations like this, they are no longer relevant and the difference between a rapid response, and a response in hours, could be the difference between your organisation calling your cyber insurer or not.”
Read more about Chinese threat activity
- Nine months after its malicious botnet comprising legacy routers was disrupted by the Americans, Chinese APT Volt Typhoon is rebuilding and presents as persistent a threat as ever.
- Following the Salt Typhoon attacks, CISA offers advice to 'highly targeted' individuals, such as using end-to-end encryption and moving away from purely SMS-based MFA.
- US government agencies confirmed Wall Street Journal reports that China-backed threat actors breached telecommunication providers and access data for law enforcement requests.
