Full Report
Mandiant says it found malware in impacted devices associated with a Chinese-linked threat group. The post New zero-day exploit targets Ivanti VPN product appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Ivanti Connect Secure Zero-Day Exploitation
## CVE Details
- CVE ID: CVE-2025-0282, CVE-2025-0283 (Specific scores/CWE not detailed in the text)
- CVSS Score: Undetermined (The text only lists the CVEs, not the calculated scores)
- CWE: CVE-2025-0282 is described as an unauthenticated stack-based buffer overflow.
## Affected Systems
- Products: Ivanti Connect Secure (ICS) appliances
- Versions: Specific vulnerable versions were not listed in the summary excerpt, but the advisory covers the affected range.
- Configurations: N/A
## Vulnerability Description
Two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, were disclosed affecting Ivanti Connect Secure (ICS) appliances. CVE-2025-0282 is specifically identified as an **unauthenticated stack-based buffer overflow**. Successful exploitation of this flaw allows for unauthenticated Remote Code Execution (RCE), potentially leading to downstream compromise of the victim network.
## Exploitation
- Status: **Exploited in the wild** (Zero-day exploitation of CVE-2025-0282 observed starting mid-December last year). CISA has added CVE-2025-0282 to its Known Exploited Vulnerability (KEV) catalog.
- Complexity: Low (due to unauthenticated RCE potential).
- Attack Vector: Network (Implied by RCE potential on VPN appliances).
## Impact
- Confidentiality: High (Potential for downstream compromise)
- Integrity: High (Potential for downstream compromise)
- Availability: Medium/High (Compromise of the appliance/network)
## Remediation
### Patches
- Ivanti has released **patches** for both vulnerabilities and urges customers to secure their systems according to instructions in their security advisory.
### Workarounds
- Customers are urged to secure their systems via instructions in Ivanti's security advisory. (Specific step-by-step workarounds are not detailed in this summary, but referencing the advisory is the primary path.)
- Ivanti's Integrity Checker Tool was mentioned in relation to previous compromises, although its sufficiency for detecting these specific compromises was previously questioned by CISA.
## Detection
- **Indicators of compromise:** Mandiant found signs of the **SPAWN** malware ecosystem deployed on infected systems. The activity is attributed to the China-linked threat group **UNC5337** (believed to be part of UNC5221).
- **Detection methods and tools:** Commercial security monitoring tools and Ivanti's Integrity Checker Tool were used in the initial identification of the compromise.
## References
- Vendor Advisories: Ivanti Security Advisory for CVE-2025-0282 and CVE-2025-0283 (Linked in text)
- Mandiant Blog Post on findings (Linked in text)
- CISA Emergency Directive/Mitigation Instructions (Previous related advisories mentioned)