ChannelLife Australia - Industry insider news for technology resellers
Australia
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
Malware
#
VPNs
#
Network Security

Mandiant reveals details of major Ivanti VPN vulnerability

Today
Author image
By Sean Mitchell, Publisher

Mandiant has released new findings regarding a significant zero-day vulnerability, CVE-2025-0282, affecting Ivanti Connect Secure (ICS) VPN appliances, following its disclosure and patching by Ivanti.

The vulnerability was initially identified through Ivanti's Integrity Checker Tool (ICT) combined with other commercial security monitoring tools. Mandiant reported that this security flaw has been actively exploited by a suspected China-linked espionage group since December 2024.

Researchers have not yet attributed the exploitation of CVE-2025-0282 to a specific threat actor. However, they have observed the utilisation of the SPAWN malware family, previously noted in April 2024, and associated with UNC5337, which Mandiant tentatively links to the group tracked as UNC5221.

Mandiant stated, "it is possible that multiple actors are responsible for the creation and deployment of the various malware families they've seen in their ongoing investigations (i.e., SPAWN, DRYHOOK, and PHASEJAM), but notes that "as of publishing this report, we don't have enough data to accurately assess the number of threat actors targeting CVE-2025-0282."

The exploitation of this vulnerability allows attackers to execute remote code, move laterally within networks, and install persistent backdoors. These backdoors can maintain access across system upgrades, leading Ivanti to advise affected customers to perform a factory reset to mitigate risks.

Mandiant has highlighted two notable tactics used in the exploitation of CVE-2025-0282. After gaining access, the threat actor deploys the custom "PHASEJAM" malware to secure a foothold and prevent system upgrades from being installed, allowing persistent access despite upgrades.

To further evade detection, the attacker has also crafted a fake upgrade progress display to deceive system administrators into believing that legitimate upgrades have been installed accurately, while actually impeding the upgrade process.

Ivanti Connect Secure devices equipped with the integrity checker tool have been integral in identifying compromises associated with this vulnerability. Acting as an alert system, the ICT continuously monitors the device's operational state, alerting users to any irregularities or unusual activity that might suggest a compromise.

There have been incidents where threat actors attempted to alter the ICT's list of legitimate files by adding their malicious files, seeking to evade the tool's detection capabilities.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Integrity360 acquires Nclose to boost global expansion plans
CVE-2025-0282: Ivanti Connect Secure zero-day exploited in the wild
Ivanti issues patch for critical security vulnerability
WatchGuard acquires ActZero to boost cybersecurity services
Profitability a priority for Australian MSPs by 2025
Top stories
Cohesity expands cyber resilience with new IR partners
Motorola unveils V200 body camera for frontline safety
Australian small businesses under pressure: can optimism and tech transform their 2025?
Siemens & Sony unite to transform industrial metaverse
Digital payment trends soar in Asia Pacific, 2024 report