Ivanti Connect Secure Zero-Day Actively Exploited in the Wild
A critical zero-day vulnerability in Ivanti Connect Secure VPN appliances is being actively exploited by threat actors to gain unauthenticated remote code execution.
CVE References
Affected
What happened: Ivanti disclosed a critical stack-based buffer overflow vulnerability (CVE-2025-0282) affecting Connect Secure, Policy Secure, and Neurons for ZTA gateways. Mandiant confirmed that the vulnerability has been actively exploited since mid-December 2024 by a suspected China-nexus espionage actor tracked as UNC5337.
Technical details: The vulnerability is a stack-based buffer overflow in the web component of Ivanti Connect Secure (versions before 22.7R2.5), allowing unauthenticated remote code execution. Attackers have been observed deploying the SPAWN malware ecosystem, including SPAWNANT (installer), SPAWNMOLE (tunneler), and SPAWNSNAIL (SSH backdoor). A second vulnerability, CVE-2025-0283, allows local privilege escalation.
Who is affected: Organizations running Ivanti Connect Secure versions prior to 22.7R2.5, Ivanti Policy Secure versions prior to 22.7R1.2, and Ivanti Neurons for ZTA gateways prior to 22.7R2.3. This predominantly impacts enterprises and government agencies using these VPN solutions for remote access.
What defenders should do: Apply the available patch for Connect Secure immediately. Run the Integrity Checker Tool (ICT) to detect signs of compromise. If compromise is suspected, perform a factory reset before applying the update. Monitor for indicators of compromise published by Mandiant including SPAWN malware family hashes.
Broader implications: This marks the second consecutive year that Ivanti VPN products have been targeted by sophisticated threat actors. The repeated exploitation of edge network devices underscores the critical need for organizations to reevaluate their perimeter security strategies and consider zero-trust architecture alternatives.
Sources