Last Updated On
[SAMPLE] AdHoc Active Zero-Day Exploitation of Ivanti Connect Secure
A critical zero-day in Ivanti Connect Secure VPN appliances is under active exploitation globally, enabling unauthenticated remote code execution. Patch immediately.
24
IOC Count
11
Source Count
91
Confidence Score
CVE-2025-0282, CVE-2025-0283
UNC5337 (likely affiliated with UNC5221 / China-nexus espionage cluster)
Government, Financial Services, Defence, Critical Infrastructure, Healthcare, Technology
North America, Europe, Asia-Pacific, Middle East
Chapter 01 - Executive Overview
A critical zero-day vulnerability in Ivanti Connect Secure — one of the most widely deployed enterprise VPN and network access platforms globally — is under active exploitation as of January 2025. The vulnerability, tracked as CVE-2025-0282, allows an unauthenticated remote attacker to execute arbitrary code at the operating system level on the affected appliance, with no user interaction required.
This is not a theoretical risk. Exploitation has been confirmed in the wild across multiple sectors and geographies. Mandiant and Volexity identified evidence of in-the-wild exploitation as early as mid-December 2024, before a patch was available. CISA added CVE-2025-0282 to the Known Exploited Vulnerabilities catalogue on January 7, 2025.
The strategic risk is significant. Ivanti Connect Secure appliances sit at the perimeter of enterprise networks — they are the authentication and remote access gateway. A successful compromise of this device grants an attacker a trusted foothold inside the network boundary, often with the ability to intercept credentials, pivot to internal systems, and establish persistent access that survives normal remediation procedures including factory resets.
Intelligence indicates the initial exploitation wave is consistent with a China-nexus espionage campaign. Attribution points to a cluster tracked as UNC5337, assessed to be affiliated with UNC5221 — a group with a documented history of targeting Ivanti, Pulse Secure, and similar network edge appliances to support long-term intelligence collection operations.
Affected organisations should treat this as an active incident response situation, not a scheduled patching event. The exposure window is open and threat actors are already inside some environments.
Confidence in available intelligence is assessed as HIGH (91/100) based on eleven independent corroborating sources, confirmed exploitation evidence, active CISA KEV listing, and vendor-confirmed patch availability.
Chapter 02 - Threat & Exposure Analysis
CVE-2025-0282 is a stack-based buffer overflow vulnerability in the web component of Ivanti Connect Secure versions prior to 22.7R2.5, Policy Secure versions prior to 22.7R1.2, and ZTA Gateways prior to 22.8R2.2. The vulnerability exists in the unauthenticated pre-login interface, meaning exploitation requires no valid credentials, no prior access, and leaves no authentication trace in access logs.
Attack Progression
The observed attack chain proceeds in four stages. First, the attacker identifies externally exposed Ivanti appliances via active scanning — GreyNoise observed mass scanning activity targeting Ivanti web interfaces beginning in late December 2024. Second, the attacker sends a crafted HTTP request to the vulnerable component, triggering the buffer overflow and achieving code execution as the appliance's service account. Third, post-exploitation tools are deployed including a dropper disguised as a legitimate Ivanti component, and a modified version of the SPAWN malware family (SPAWNANT, SPAWNMOLE, SPAWNSNAIL) previously attributed to UNC5221. Fourth, the attacker establishes persistent command-and-control communication using HTTPS-over-443 to blend with normal VPN traffic.
Exploitability
The vulnerability requires no authentication, targets a publicly exposed interface, and has a CVSS score of 9.0. Proof-of-concept exploit code was observed circulating in private channels within 72 hours of public disclosure. The attack surface is any Ivanti Connect Secure appliance with the management or user-login portal exposed to the internet, which represents the majority of deployments by design.
Campaign Indicators
Mandiant observed a custom web shell (DRYHOOK) and a passive backdoor (PHASEJAM) deployed post-exploitation. PHASEJAM modifies the Ivanti appliance's getComponent.cgi endpoint to provide persistent shell access that survives appliance upgrades. DRYHOOK is positioned to harvest credentials submitted through the compromised VPN portal. This combination suggests an objective of long-term access and credential collection rather than immediate destructive action.
Actor Identity
The exploitation pattern, tooling, and targeting profile are consistent with UNC5337, a China-nexus intrusion cluster. UNC5337 is assessed to be affiliated with UNC5221, which Mandiant has previously attributed to Chinese state-sponsored espionage based on targeting priorities (government, defence, critical infrastructure), operational tempo aligned with Beijing business hours, and infrastructure overlap. Attribution remains Medium confidence — the tooling attribution is strong, but definitive nation-state attribution requires intelligence not available in open sources.
Infrastructure Fingerprinting
Command-and-control infrastructure observed in this campaign shows consistent fingerprinting patterns: use of bulletproof hosting providers registered through privacy-protecting registrars, nameserver reuse across multiple C2 domains, ASN clustering around providers in Eastern Europe and Southeast Asia frequently associated with state-aligned operations, and certificate patterns consistent with automated certificate issuance to avoid detection.
Sector & Geographic Exposure
Organisations with the highest exposure are those in government, defence, financial services, critical infrastructure, and large enterprise technology — sectors that historically represent priority collection targets for China-nexus espionage and that typically rely heavily on Ivanti Connect Secure for remote access.\n\nGeographic Exposure:\nConfirmed victims span North America, Europe, Asia-Pacific, and the Middle East. No geographic sector has been confirmed as excluded from the targeting scope at this time.\n
Chapter 03 - Operational Response
CONTAINMENT PRIORITIES
The immediate objective is to determine whether exploitation has occurred before applying the patch, because patching a compromised appliance without first identifying and removing implants will leave backdoors in place.
Isolation assessment first. Before patching, run the Ivanti Integrity Checker Tool (ICT) on all affected appliances to scan for signs of compromise including web shell presence, binary modification, and known SPAWN-family indicators. Do not assume clean status because the ICT returns no results — the tool has known limitations against sophisticated implants.
Factory reset before patch, not just patch. Ivanti and CISA both recommend performing a factory reset on affected appliances before applying the patch. Patching without a factory reset has been confirmed to leave PHASEJAM and similar persistence mechanisms in place.
Apply patches immediately after reset. Ivanti Connect Secure 22.7R2.5 and later. Ivanti Policy Secure 22.7R1.2 and later. Ivanti ZTA Gateways 22.8R2.2 and later.
Rotate all credentials that transited the affected appliance. Any credentials — including service account passwords, LDAP/AD bind credentials, and user VPN passwords — submitted through a potentially compromised Ivanti portal should be treated as harvested and rotated as a priority.
Review authentication logs for the 30 days preceding detection. Look for authentication anomalies, successful logins from unusual source IPs, or access to systems that would not normally be accessed via VPN in the hours following a successful login event.
SECURITY HARDENING ACTIONS
Restrict management interface access to dedicated management VLANs or jump servers. The management portal should never be exposed to the public internet.
Implement network-level monitoring on Ivanti appliance outbound connections. Legitimate appliance traffic is limited — any outbound HTTPS to non-Ivanti destinations is a high-fidelity alert.
Enable Ivanti appliance logging to a remote, immutable SIEM. Ensure logs cannot be cleared by an attacker with appliance-level access.
Enrol in Ivanti's security advisory mailing list for this product family — this is the third major Ivanti zero-day in 24 months.
INTERNAL SECURITY COORDINATION
Brief the CISO and risk owner today if not already done. This is a CISA KEV-listed vulnerability under active exploitation, which in most organisations triggers mandatory response timelines.
Notify IT operations of the factory-reset requirement before any change management process is initiated — this is not a standard patch deployment.
If incident response forensics are required, preserve appliance images before the factory reset. Work with your IR team or Mandiant to assess whether a full IR engagement is warranted based on ICT results.
Incident Timeline
2024-12-03— Earliest estimated exploitation date based on Volexity forensic analysis of confirmed victim environments (retroactively assessed).
2025-01-07— Ivanti publishes security advisory. CVE-2025-0282 disclosed as a zero-day under active exploitation. CISA adds to Known Exploited Vulnerabilities catalogue on same day.
2025-01-07— Mandiant publishes threat intelligence report attributing exploitation to UNC5337 with analysis of SPAWN malware family variants.
2025-01-08— Volexity publishes independent analysis confirming exploitation evidence and introducing DRYHOOK and PHASEJAM implant designations.
2025-01-08— GreyNoise confirms mass scanning activity targeting Ivanti web interfaces beginning in late December 2024.
2025-01-09— NCSC UK publishes advisory. Intelligence record published to this platform (CTI-2025-0001).
2025-01-13— Ivanti releases updated ICT with improved detection for SPAWN-family implants.
2025-01-15— Record updated with enriched IOC set and MITRE analysis. Patches confirmed available for all affected product lines.\n
Chapter 04 - Detection Intelligence
CVE-2025-0282 is a stack-based buffer overflow in the web component of Ivanti Connect Secure. The vulnerable code path handles HTTP request parsing in the unauthenticated pre-login interface — specifically in processing of specific header values that are passed to a fixed-size stack buffer without bounds checking.
Exploitation: An attacker sends a crafted HTTP request to the exposed web interface. The oversized value overflows the stack buffer, overwriting the return address and enabling control of the instruction pointer. With control of execution flow, the attacker can execute shellcode or return-oriented programming chains to achieve arbitrary code execution in the context of the web service process.
The vulnerability is pre-authentication — no credentials, session tokens, or prior access are required. The attack leaves no entry in the authentication log because it does not reach the authentication stage of the request handling pipeline.
SPAWN Malware Family (attributed to UNC5221/UNC5337) — three components observed in this campaign:
SPAWNANT: Installer utility. Achieves persistence by modifying the appliance update mechanism so implants survive firmware updates.SPAWNMOLE: Tunnelling utility. Establishes a SOCKS5 proxy over the compromised appliance to facilitate lateral movement and C2 communication routed through the trusted VPN appliance.SPAWNSNAIL: SSH backdoor embedded in the Ivanti appliance process space, providing persistent shell access to the attacker.
Post-exploitation additions in this campaign (Mandiant/Volexity):
PHASEJAM: A web shell that hijacks the legitimate getComponent.cgi endpoint. It intercepts requests to this endpoint and executes attacker-supplied commands while proxying legitimate traffic to the real endpoint to avoid detection.DRYHOOK: A credential harvester injected into the authentication pathway of the VPN portal. Captures plaintext credentials as users authenticate through the compromised appliance.
CVE-2025-0283: A related privilege escalation vulnerability. CVSS 7.0. Allows a local authenticated attacker to escalate privileges. In the context of this campaign, CVE-2025-0283 is chained after initial access via CVE-2025-0282 to escalate from the web service account to root.
Forensic Note on ICT Limitations: The Ivanti Integrity Checker Tool released before January 13 did not reliably detect PHASEJAM or DRYHOOK. An updated ICT was released on January 13. Organisations that ran the earlier ICT version and received a clean result should re-run with the updated tool before concluding no compromise occurred.
The following indicators are extracted from this incident cluster and enriched via open-source threat intelligence sources. All verdicts are consolidated single-verdict assessments — conflicting source verdicts have been resolved using majority consensus weighted by source reliability.
IP ADDRESSES (C2 / Scanning Infrastructure) — Verdict: Malicious
45.32.56.107 — C2 server, bulletproof hosting (Vultr), confirmed in Mandiant/Volexity reporting
103.27.108.91 — Scanning infrastructure, mass scanning observed by GreyNoise
194.165.16.34 — SPAWNMOLE SOCKS5 exit node, associated with UNC5337 infrastructure cluster
45.76.228.117 — Secondary C2, certificate fingerprint matches UNC5221 historical infrastructure
DOMAINS (C2 / Infrastructure) — Verdict: Malicious
update-ivanti[.]com — Typosquat domain used in PHASEJAM delivery, registered 2024-12-28
vpn-ivanti-secure[.]net — C2 staging domain, registered through Namecheap with privacy protection
secureconnect-update[.]org — SPAWNANT delivery domain, ASN overlap with above
FILE HASHES (Implants) — Verdict: Malicious
PHASEJAM dropper: SHA256 a3f1c2e9b84d...7f2a91c (abbreviated) — detected on VirusTotal 38/72 engines
DRYHOOK injector: SHA256 c8b2d4e7f1a3...9e4c72d — detected 31/72 engines
SPAWNSNAIL SSH backdoor: SHA256 2d7e4a9f3c1b...5f8d46e — detected 29/72 engines
CVE IDENTIFIERS
CVE-2025-0282 — CVSS 9.0 — Stack buffer overflow, unauthenticated RCE, Ivanti Connect Secure
CVE-2025-0283 — CVSS 7.0 — Privilege escalation, chained post-exploitation
INFRASTRUCTURE FINGERPRINTING
Actor infrastructure shows consistent reuse patterns across this and prior UNC5221 campaigns:
Nameserver reuse: Three domains share a nameserver pair (ns1.dnspod.com / ns2.dnspod.com) consistent with Chinese-affiliated operator preference.
ASN clustering: Multiple C2 IPs cluster around AS20473 (Vultr) and AS9808 (China Mobile) — a pattern consistent with prior UNC5221 campaigns targeting Pulse Secure in 2021.
Registration window: All domains registered within a 35-day window prior to the first confirmed exploitation date, suggesting pre-positioning infrastructure before the zero-day disclosure.
Certificate pattern: Let's Encrypt certificates issued within 48 hours of domain registration across all actor-controlled domains in this cluster.
DETECTION CONTEXT QUALITY
Collection gap identified: The Ivanti appliance's native logging does not record pre-authentication HTTP request bodies. This means exploitation traffic via CVE-2025-0282 leaves no direct log evidence of the malicious request. Network-layer PCAP capture or WAF logging positioned upstream of the appliance is required to observe exploitation attempts. Organisations relying solely on Ivanti appliance logs should treat absence of evidence as unreliable in this context.
DETECTION ENGINEERING OPPORTUNITIES
Network Layer — Outbound HTTPS from Ivanti appliance to non-Ivanti destinations
Ivanti Connect Secure appliances should not initiate outbound HTTPS connections to arbitrary external IPs. Any outbound connection from the appliance's management or user-plane IP to an IP not in the Ivanti update CDN range is high-fidelity and warrants immediate investigation.
SIEM Pseudocode concept:
source_ip = [ivanti_appliance_ips] AND destination_port = 443 AND NOT destination_ip IN [ivanti_update_ranges] → ALERT: CRITICALEndpoint / Process Layer — Unexpected child process from web service
On Linux-based appliances, the web service component should not spawn interactive shells, curl/wget processes, or Python interpreters. Process genealogy monitoring via EDR or eBPF-based tooling should alert on shell processes descended from the web service PID.
File Integrity — getComponent.cgi modification
PHASEJAM targets the getComponent.cgi endpoint. File integrity monitoring on the appliance's web root directory should alert on modifications to this file. Hash baseline from a clean build image is required.
SIGMA Concept:
FileModification on path */cgi-bin/getComponent.cgi with any process other than the official Ivanti update agentAuthentication Layer — Credential reuse from unusual source IPs post-exploitation
DRYHOOK harvests credentials as users authenticate. Within 12–48 hours of a credential harvest, expect authentication attempts using those credentials from actor-controlled IPs. Detect via: successful authentication from a new IP for an established user account, particularly outside normal business hours or from unexpected geographic regions.
THREAT HUNTING HYPOTHESES
Hunt 1: Search for base64-encoded command strings in HTTP POST bodies to getComponent.cgi in WAF or proxy logs covering the 30 days prior to today.
Hunt 2: Search authentication logs for accounts with successful VPN authentications followed by access to internal systems inconsistent with their role profile.
Hunt 3: Search for DNS queries to newly registered domains (< 60 days old) originating from the Ivanti appliance management IP.
Hunt 4: Search DHCP/NAT logs for lateral movement from the Ivanti appliance IP segment to internal VLAN ranges not normally associated with VPN traffic.
TIMELINE INSIGHTS
The 30+ day gap between first estimated exploitation (December 3) and public disclosure (January 7) represents a minimum 35-day dwell time in the earliest confirmed victim environments. Hunting activity should cover this entire window, not just dates after the advisory.
T1190 — Exploit Public-Facing Application (Tactic: Initial Access)
CVE-2025-0282 directly maps to this technique. The Ivanti Connect Secure web interface is an internet-facing application. Exploitation of the stack buffer overflow achieves initial access without authentication. This technique is the entry point of the entire observed attack chain.
T1059.004 — Command and Scripting Interpreter: Unix Shell (Tactic: Execution)
Post-exploitation, attackers executed shell commands via the PHASEJAM web shell and SPAWNSNAIL SSH backdoor. Unix shell execution was the primary mechanism for deploying additional tools and establishing persistence.
T1505.003 — Server Software Component: Web Shell (Tactic: Persistence)
PHASEJAM functions as a web shell embedded in the Ivanti appliance's legitimate CGI endpoint. It provides persistent command execution capability that survives reboots and is designed to survive firmware updates via SPAWNANT.
T1003 — OS Credential Dumping (Tactic: Credential Access)
DRYHOOK harvests plaintext credentials submitted through the compromised VPN portal. While not a traditional credential dump from OS memory, the technique achieves the same outcome — bulk credential collection from authenticated users of the compromised service.
T1070.004 — Indicator Removal: File Deletion (Tactic: Defense Evasion)
Forensic analysis indicates attackers deleted deployment scripts and temporary files post-installation. Combined with PHASEJAM's passthrough design (proxying legitimate traffic to avoid anomaly detection), defense evasion was a deliberate operational priority in this campaign.
T1071.001 — Application Layer Protocol: Web Protocols (Tactic: Command and Control)
All C2 communication was conducted over HTTPS on port 443 — indistinguishable from normal VPN traffic at the protocol layer. SPAWNMOLE tunnels traffic through the compromised appliance itself, routing C2 communications through a trusted enterprise device.
T1568 — Dynamic Resolution (Tactic: Command and Control)
Infrastructure analysis indicates use of dynamic DNS resolution and rapid domain rotation to maintain C2 availability despite potential IP blocking. The actor pre-positioned multiple redundant C2 domains within the same infrastructure cluster before exploitation commenced.
Chapter 05 - Governance, Risk & Compliance
REGULATORY EXPOSURE
This incident carries regulatory implications across multiple frameworks depending on the affected organisation's jurisdiction and sector.
GDPR / UK GDPR: If the compromised Ivanti appliance provided VPN access to systems processing personal data of EU or UK data subjects, the credential harvesting capability of DRYHOOK and the attacker's confirmed access to internal systems may constitute a personal data breach. Controllers have 72-hour notification obligations to supervisory authorities from the point of becoming aware of the breach. Processors must notify controllers without undue delay.
NIS2 Directive (EU): Organisations classified as essential or important entities under NIS2 are subject to incident reporting obligations. A confirmed compromise of network access infrastructure by a nation-state-affiliated threat actor is a significant incident under NIS2 criteria. National competent authority notification is required within 24 hours of incident detection, with a full incident notification within 72 hours.
HIPAA (US Healthcare): VPN appliance compromise that exposed access to systems containing protected health information (PHI) triggers breach assessment obligations under the HIPAA Breach Notification Rule.
DPDP Act (India): Organisations processing digital personal data of Indian residents that experienced a breach via this vulnerability are subject to notification obligations to the Data Protection Board under the Digital Personal Data Protection Act 2023.
BUSINESS RISK IMPACT
The primary business risk from this incident is not the vulnerability itself — it is what an attacker with 35+ days of undetected access can achieve. Confirmed capabilities include: credential harvesting at scale, lateral movement to internal systems, long-term persistent access, and intelligence collection. For organisations in government, defence, or financial services, the intelligence value of this access to a nation-state actor should be assessed as high. Sensitive communications, strategic plans, procurement data, and personnel information transiting or accessible from systems reachable via the compromised VPN are all at risk.
THREAT ACTOR ATTRIBUTION
Attribution is assessed as China-nexus with Medium confidence. The SPAWN malware family is previously attributed to UNC5221. The UNC5337 cluster observed in this campaign shares tooling, targeting profile, and infrastructure patterns with UNC5221. UNC5221 has been associated with Chinese Ministry of State Security (MSS) collection priorities by multiple private intelligence providers. This attribution has not been formally confirmed by a government intelligence agency in open reporting at the time of this publication.
BOARD-LEVEL FRAMING
This incident is best characterised to a board audience as: a nation-state actor exploited a zero-day in the organisation's front door — the device that controls all remote access — before a patch existed, and may have been inside for over a month before detection. The remediation is technically straightforward. The question the board should be asking is whether this organisation would have detected this without an external advisory, and how the answer changes the investment case for detection capability.
Chapter 06 - Adversary Emulation
The confirmed MITRE ATT&CK technique mapping for this incident provides a well-structured basis for defensive validation exercises. The following scenarios are designed for purple team or detection validation activities.
DETECTION VALIDATION SCENARIOS
Scenario 1 — Simulate T1190 (Exploit Public-Facing Application):
Using an authorised penetration testing engagement on a non-production Ivanti appliance (or a lab replica), test whether your WAF, network IDS, and SIEM produce alerts when an HTTP request with a crafted oversized header value is submitted to the Ivanti web interface. The objective is not to exploit — it is to validate that your detection layer sees the anomalous request pattern.
Scenario 2 — Simulate T1505.003 (Web Shell):
Deploy a benign test file at the path of getComponent.cgi on a lab system and validate that your file integrity monitoring solution generates an alert within your defined detection SLA. Test whether the alert routes correctly to the SOC queue.
Scenario 3 — Simulate T1071.001 (C2 over HTTPS):
Using a red team C2 framework in an authorised lab environment, simulate HTTPS callback traffic from a system in the VPN appliance network segment to an external IP. Validate that this traffic is detected by network monitoring, not just perimeter firewall rules. Many organisations firewall inbound but do not monitor outbound from trusted network devices.
Scenario 4 — Credential Reuse Detection:
Introduce a test credential into a monitored account and simulate a successful authentication from an IP outside the account's normal geographic and network range. Validate that the SIEM/UEBA produces a user behaviour anomaly alert and that it routes to the correct analyst queue with sufficient context.
ATT&CK-ALIGNED PURPLE TEAM EXERCISES
A full purple team exercise for this incident would sequence the confirmed techniques in order: T1190 (initial access simulation) → T1059.004 (shell execution) → T1505.003 (web shell deployment) → T1003 (credential collection simulation) → T1070.004 (artefact deletion) → T1071.001 (C2 communication).
The objective of the exercise is to identify at which technique in the chain the blue team achieves first detection, and to measure dwell time before containment action. A detection at T1190 is ideal. A first detection at T1071.001 means the attacker had full access for the duration of the exercise — equivalent to the real-world 35-day dwell time observed in this incident.
DEFENSIVE SECURITY VERIFICATION NOTES
These exercises are designed to test detection and response capability, not to validate that a patch was applied. Patching addresses the initial access vector. The deeper question this exercise answers is: if a zero-day bypassed your patch window, would your detection layer catch the attacker before they achieved their objective?
Score of 91 reflects eleven independent corroborating sources, vendor-confirmed exploitation, active CISA KEV listing, Mandiant and Volexity independent forensic analysis, and patch availability confirmed. Reduction from maximum reflects Medium attribution confidence — nation-state affiliation is strongly indicated but not formally confirmed in open-source reporting.