A Chinese cyber adversary known as UNC5337 has resumed its focus on uncovering vulnerabilities within Ivanti remote access devices, marking another chapter in a series of security challenges faced by the IT vendor. This latest threat leverages a critical remote code execution (RCE) vulnerability discovered in Ivanti’s products, reigniting concerns initially sparked over a year ago when UNC5337 targeted similar flaws.

A History of Vulnerabilities

Throughout last year, Ivanti faced numerous security issues across its product line. Notable vulnerabilities included an authentication bypass in the Virtual Traffic Manager (vTM), SQL injection in the Endpoint Manager, and several bugs in its Cloud Services Appliance (CSA). Critical vulnerabilities were also identified in Standalone Sentry, Neurons for IT Service Management (ITSM), and others. The initial wave of exploits by UNC5337 focused on Ivanti’s Connect Secure (ICS) and Policy Secure gateways, coinciding with two severe vulnerabilities disclosed in January last year.

Current Exploits and New Vulnerabilities

UNC5337 has emerged once more, exploiting a new critical flaw in ICS, extending the threat to Policy Secure and Neurons for Zero Trust Access (ZTA) gateways as well. Alongside this, Ivanti has identified a second vulnerability, which, though less severe, remains unexploited for the time being. Arctic Wolf CISO, Adam Marrè, acknowledged the group's sophistication: "Even with secure-by-design principles, attackers with new techniques, time, and resources can find a way in."

New Vulnerabilities in Focus

CVE-2025-0283: This buffer overflow vulnerability, rated 7.0 in CVSS, affects ICS versions prior to 22.7R2.5, Policy Secure before 22.7R1.2, and Neurons for ZTA gateways before 22.7R2.3. It requires authentication but could elevate an attacker’s privileges.

CVE-2025-0282: With a CVSS score of 9.0, this more severe vulnerability allows unauthorized code execution as root. The details remain scarce, but exploitation has been confirmed through reverse engineering by researchers who compared patched and unpatched ICS versions.

Malware Tools and Exploitation Techniques

According to Mandiant, UNC5337's exploits employ the "Spawn" malware suite, comprising:

SpawnAnt, which ensures malware persistence across system updates.

SpawnMole, for communication with attacker command-and-control infrastructure.

SpawnSnail, a stealthy SSH backdoor.

SpawnSloth, which erases log traces of malicious activities.

Additionally, Mandiant identified DryHook and PhaseJam malware potentially linked to UNC5337, designed for credential theft and persistent command execution through deceptive means during system updates.

Actionable Steps and Mitigation

Data from The ShadowServer Foundation indicates over 2,000 ICS instances remain vulnerable, primarily located in the U.S., France, and Spain. To counteract exploits, Ivanti, in collaboration with CISA, has detailed mitigation strategies for CVE-2025-0282, highlighting the use of the Integrity Checker Tool (ICT) for identifying breaches and recommending prompt patch implementation. An Ivanti spokesperson confirmed a patch for Connect Secure vulnerabilities has been released, noting limited exploitation while emphasizing the importance of a thorough and layered security approach. Ivanti further informed that ZTA gateways and Policy Secure patches are anticipated by January 21, reiterating that certain configurations minimize exploit risks until patches are available. Security experts, including Matt Lin, stress the necessity of swift action and comprehensive incident response to mitigate the impact of potential breaches, noting the extensive coordination required among global security teams.

The link has been copied!