Ivanti is once again in the hot seat as a sophisticated Chinese hacking group, known as UNC5337, is actively exploiting another critical vulnerability in its remote access products. This latest security flaw affects Ivanti’s popular Connect Secure (ICS) and Policy Secure devices, continuing a troubling pattern of high-profile breaches that have plagued the company. The attackers are deploying custom malware, demonstrating a deep understanding of Ivanti’s systems and putting thousands of organizations worldwide at immediate risk.
Two Fresh Flaws Put Systems at Risk
The latest security advisory from Ivanti details two new vulnerabilities, with one being actively exploited in the wild. The primary concern is a critical flaw that allows attackers to gain complete control over a system without needing any login credentials.
The second vulnerability is rated as high severity but is considered less of an immediate threat because it requires an attacker to be authenticated first. So far, there have been no reports of this second bug being used in attacks.
| Vulnerability ID | CVSS Score | Description | Exploitation Status |
|---|---|---|---|
| CVE-2025-0282 | 9.0 (Critical) | Allows an unauthenticated attacker to execute code with the highest privileges (root). | Confirmed Exploitation in the Wild |
| CVE-2025-0283 | 7.0 (High) | Requires an authenticated attacker to exploit a buffer overflow to gain higher privileges. | No Known Exploitation |
These vulnerabilities impact a wide range of products, including multiple versions of Ivanti Connect Secure, Policy Secure, and Neurons for Zero Trust Access (ZTA) gateways. The widespread use of these devices means the potential impact is significant.
A Sophisticated Hacking Toolkit
The threat group UNC5337 has proven to be highly skilled, using a custom suite of malware designed specifically to compromise and persist on Ivanti systems. Their tools are built for stealth and long-term access, making detection difficult.
Analysis of compromised devices has revealed several malware families, each with a specific job:
- SpawnAnt: This malware acts as an installer for other malicious tools and is designed to survive system reboots and software upgrades.
- SpawnMole: This tool is a tunnel-maker, creating a secret channel for attackers to communicate with the infected device.
- SpawnSnail: This is a passive backdoor that listens for special commands, allowing attackers to access the system discreetly.
- SpawnSloth: This malware is used to cover the attackers’ tracks by modifying system logs and hiding their activity.
Researchers have also identified two other malware strains, DryHook and PhaseJam. DryHook is focused on stealing user credentials, while PhaseJam cleverly displays fake update screens to trick users, allowing the malware to maintain its presence even while legitimate patches are being applied.
Thousands of Devices Remain Vulnerable
The race to patch is on, but many systems are still exposed. According to data from The ShadowServer Foundation, more than 2,000 Ivanti ICS devices are still vulnerable to attack globally. The highest concentrations of these exposed devices are in the United States, France, and Spain.
In response, Ivanti and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued urgent guidance. They are advising organizations to immediately use Ivanti’s built-in Integrity Checker Tool (ICT) to scan for signs of compromise and to apply all available security patches without delay. Continuous network monitoring is also strongly recommended.
However, a complication has emerged: patches for some affected Policy Secure and ZTA gateways will not be ready until January 21. While Ivanti states these systems are at a lower risk, this delay leaves a window of opportunity for attackers.
The Human Cost of Cyber Defense
This constant stream of critical vulnerabilities is creating immense pressure on cybersecurity professionals. The cycle of identifying threats, testing patches, and deploying them across an organization is a demanding and often exhausting process.
Adam Marrè, CISO at Arctic Wolf, noted that while building perfectly secure software is difficult, the speed at which hackers exploit these flaws puts defenders in a constant state of high alert. The stress is compounded by the need to act quickly to prevent a major breach.
Matt Lin of Mandiant highlighted the human toll of these repeated security crises. “The toil and exhaustion defenders face cannot be underestimated,” he said, emphasizing that the sheer volume of work required to manage these incidents can easily overwhelm even the most prepared security teams.
Frequently Asked Questions about the Ivanti Vulnerabilities
What are the new Ivanti vulnerabilities?
Two new flaws were found: CVE-2025-0282, a critical bug allowing unauthenticated code execution, and CVE-2025-0283, a high-severity privilege escalation flaw. The critical vulnerability is being actively exploited.
Who is behind these attacks?
A Chinese-nexus threat group tracked as UNC5337 is reportedly responsible. This group has a history of targeting Ivanti devices with sophisticated, custom-built malware.
Which Ivanti products are affected?
The vulnerabilities affect several versions of Ivanti Connect Secure (ICS), Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access (ZTA) gateways.
How many devices are currently at risk?
According to The ShadowServer Foundation, over 2,000 Ivanti devices remain vulnerable worldwide, with the majority located in the U.S., France, and Spain.
What should my organization do right now?
Ivanti and CISA recommend three key actions: run the Ivanti Integrity Checker Tool (ICT) to detect compromise, apply the latest security patches immediately, and monitor your network for any unusual activity.
