Full Report
CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
Analysis Summary
As a vulnerability research specialist, here is the summary of the information provided regarding the RESURGE malware targeting Ivanti appliances.
# Vulnerability: RESURGE Malware Exploiting Ivanti Connect Secure Buffer Overflow
## CVE Details
- CVE ID: **CVE-2025-0282**
- CVSS Score: **N/A** (Score not specified in the article, but described as *critical*)
- CWE: **Stack-based buffer overflow** (Implied by description)
## Affected Systems
- Products: **Ivanti Connect Secure appliances**
- Versions: **Not specified**
- Configurations: **N/A**
## Vulnerability Description
The vulnerability is a **stack-based buffer overflow** flaw in Ivanti Connect Secure appliances. Successful exploitation allows attackers to create web shells, manipulate system files, and achieve persistence across system reboots. The malware variant, RESURGE, leverages this flaw, showing capabilities similar to the prior SPAWNCHIMERA, but with unique commands for evasion.
## Exploitation
- Status: **Exploited in the wild** (Mentioned that RESURGE is being uncovered and actively leveraged)
- Complexity: **Likely Low/Medium** (Exploitation via web shell creation suggests a relatively direct mechanism, but specific complexity rating is unavailable)
- Attack Vector: **Network** (Implied, as it targets internet-facing appliances)
## Impact
- Confidentiality: **High** (Web shells for credential harvesting)
- Integrity: **High** (Ability to modify coreboot images and execute arbitrary commands)
- Availability: **Medium/High** (Persistence mechanisms make remediation complex)
## Remediation
### Patches
- **Specific patch version information is not provided in the article.** Users must consult official Ivanti advisories for the patch addressing CVE-2025-0282.
### Workarounds
- The article mentions that the malware copies components to the Ivanti **boot disk** and survives reboots by modifying **coreboot images**. Standard immediate workarounds may include:
* Applying all known Ivanti hotfixes immediately.
* Forensically scanning boot partitions for unauthorized persistence mechanisms (like those created by the `dsmain` utility).
* Reviewing network traffic for unusual C2 communication patterns (SSH tunnels).
## Detection
- **Indicators of Compromise (IoCs):**
* Presence of the **RESURGE** malware variant.
* Presence of the **SPAWNSLOTH** log-tampering tool variant.
* Presence of a custom binary named **`dsmain`** which uses BusyBox utilities for decrypting and repackaging coreboot images.
* Evidence of malicious web shells deployed on the appliance.
* SSH tunnels initiated from the appliance for C2 communication.
- **Detection Methods and Tools:**
* CISA Malware Analysis Report (MAR) review for specific signatures.
* File integrity monitoring (FIM) on coreboot images and system directories.
* Network monitoring for anomalous external connections (C2).
## References
- Vendor Advisories: [CISA releases malware analysis report: RESURGE malware associated with Ivanti Connect Secure](hxxps://www[.]cisa[.]gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure)
- Relevant Links: [Infosecurity Magazine Article](hxxps://www[.]infosecurity-magazine[.]com/news/malware-resurge-exploits-ivanti/)