Ivanti Software Vulnerability Exploited for Remote Code Execution
2025-01-09
Learn about the critical impact of unpatched vulnerabilities and how CloudGuard can help protect against sophisticated malware threats like those exploiting Ivanti software.
A critical security flaw in Ivanti Connect Secure and Policy Secure, identified as CVE-2025-0282, is being actively exploited, allowing unauthenticated remote code execution. The exploitation involves a series of sophisticated steps to compromise systems, including deploying malware like DRYHOOK and PHASEJAM. Ivanti has issued patches for this and another related high-severity flaw, CVE-2025-0283. The exploitation has been observed by Mandiant, which noted the use of the SPAWN malware ecosystem to maintain persistence and communicate with attackers. The U.S. CISA has added CVE-2025-0282 to its Known Exploited Vulnerabilities list, urging organizations to apply patches promptly.
Zero-Day, Malware, Privilege Escalation, Patch Management
Ivanti, CVE-2025-0282, Remote Code Execution, PHASEJAM, SPAWN Malware, Mandiant
Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA, SELinux, Google-owned Mandiant
Ivanti has identified a severe security vulnerability in several of its products, including Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. The flaw, labeled as CVE-2025-0282, is a stack-based buffer overflow that has been actively exploited since mid-December 2024. This vulnerability, with a high CVSS score of 9.0, allows attackers to execute remote code without authentication. The exploitation process involves multiple technical steps. Attackers disable SELinux, halt syslog forwarding, remount the drive as read-write, and execute scripts to drop web shells. They also manipulate log files to hide their activity and re-enable SELinux to cover their tracks. A significant payload is PHASEJAM, a shell script dropper that modifies Ivanti Connect Secure components to maintain persistence and execute commands. Mandiant, a Google-owned cybersecurity firm, observed the deployment of the SPAWN malware ecosystem across various compromised devices. This includes the installation of previously unknown malware families, DRYHOOK and PHASEJAM. PHASEJAM inserts web shells and blocks legitimate system upgrades to ensure persistent access. SPAWNANT, part of the SPAWN framework, can survive system upgrades by hijacking the execution flow of essential processes. Mandiant also noted the use of publicly available tunneling utilities to facilitate communication with the attackers' command-and-control infrastructure. Ivanti has acknowledged that a limited number of customers have been affected by CVE-2025-0282. Although there is no evidence that the related vulnerability, CVE-2025-0283, is being weaponized, it remains a concern. Ivanti responded quickly by developing a fix and advising customers to apply patches immediately. In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-0282 in its Known Exploited Vulnerabilities catalog, highlighting the urgency for organizations to secure their systems.Critical Vulnerability in Ivanti Software Actively Exploited
Exploitation Details
Malware Deployment
Impact and Response
https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html?m=1