Sunday, October 12, 2025

Chinese Group Exploits Another Critical Flaw in Ivanti Devices

A Chinese-linked cyber group known as UNC5337 is actively exploiting another critical vulnerability in Ivanti’s remote access products. This attack continues a troubling series of security failures for the vendor, affecting devices like Connect Secure and Policy Secure gateways globally. The group is deploying a sophisticated family of malware to maintain access, steal credentials, and cover its tracks, putting thousands of organizations at immediate risk.

A Persistent Threat and a Pattern of Vulnerabilities

Ivanti has faced a challenging year, with its products repeatedly targeted due to significant security flaws. IT administrators have been in a constant state of alert, dealing with issues ranging from SQL injection to authentication bypasses in the company’s appliances.

The threat actor UNC5337, which is believed to have connections to another Chinese group, UNC5221, has a history of targeting Ivanti. Last year, they exploited major flaws in Ivanti Connect Secure (ICS) and Policy Secure gateways. Now, they have returned to take advantage of a newly discovered critical vulnerability.

“This isn’t about ease of exploitation,” says Arctic Wolf CISO Adam Marrè. “It’s a testament to the sophistication of UNC5337. Secure engineering is tough, but even following best practices doesn’t make systems unhackable.

Details on the Latest Ivanti Flaws

The latest security crisis involves two distinct vulnerabilities that expose Ivanti devices to different levels of risk. The more severe of the two allows an attacker to execute code on a system without needing any login credentials.

Researchers at watchTowr were able to reverse-engineer an exploit for the critical flaw by comparing patched and unpatched software versions, confirming its high potential for damage.

Vulnerability IDCVSS ScoreDescriptionAuthentication Required?
CVE-2025-02829.0/10 (Critical)Allows for remote code execution.No
CVE-2025-02837.0/10 (High)A buffer overflow bug that could lead to privilege escalation.Yes

Sophisticated Malware Deployed in Attacks

UNC5337 has been exploiting the critical CVE-2025-0282 flaw since mid-December. The group uses a custom malware toolkit called “Spawn” to control compromised systems and evade detection.

The attackers’ tools show a deep understanding of Ivanti’s systems and the mindset of IT administrators trying to defend them. In addition to their primary tools, researchers also discovered two other malware tools used in the campaign.

  • SpawnAnt: This tool is used to ensure the malware remains on the device, even after a reboot.
  • SpawnSnail: A backdoor that gives the attackers persistent access to the network.
  • SpawnSloth: This component is designed to delete or alter logs to hide the attacker’s activity.
  • DryHook & PhaseJam: These unrelated tools were found on compromised devices. DryHook steals credentials, while PhaseJam cleverly mimics a fake software update process to prevent legitimate patches from being installed.

It’s an ingenious way to trick administrators,” notes Mandiant consultant Matt Lin, commenting on the PhaseJam malware.

Widespread Impact and Official Guidance

The scale of the problem is significant. According to data from The ShadowServer Foundation, more than 2,000 Ivanti Connect Secure instances are still vulnerable worldwide. The majority of these exposed devices are located in the United States, followed by France and Spain.

In response, Ivanti and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued joint guidance. They are urging all customers to immediately run Ivanti’s built-in Integrity Checker Tool (ICT) to scan for signs of a compromise. While patches for Ivanti Connect Secure are available, fixes for Policy Secure and ZTA gateways are not expected until January 21.

The delay puts additional pressure on security teams, who must monitor their systems closely until a full patch is available. Ivanti stated that its ICT was crucial in identifying the exploitation early, which helped them develop a fix quickly.

The Human Cost of Cyber Defense

The relentless cycle of vulnerabilities and emergency patching is taking a toll on cybersecurity professionals. The need to act swiftly often conflicts with business operations, as patching can require system downtime.

Adam Marrè highlights the strain on IT teams, saying, “Fixing these vulnerabilities might mean downtime, which organizations often resist. But neglecting updates only increases risk.”

The situation creates a ripple effect, as a confirmed breach triggers a full incident response, consuming time, resources, and energy. “The exhaustion among defenders is real,” adds Matt Lin. “These vulnerabilities don’t just demand technical fixes. They disrupt workflows, strain resources, and put teams through immense pressure.”

Ivanti’s ongoing struggles serve as a stark reminder that the fight against advanced state-linked hacking groups is a continuous and demanding battle for organizations of all sizes.

Frequently Asked Questions about the Ivanti Vulnerability

What is UNC5337?
UNC5337 is a cyber threat group linked to China. It is known for its sophisticated attacks targeting network devices and has a history of exploiting vulnerabilities in Ivanti products to gain access to corporate networks.

Which Ivanti products are affected by the latest flaws?
The new vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impact Ivanti Connect Secure (ICS), Policy Secure, and Neurons for Zero Trust Access (ZTA) gateways.

How does the PhaseJam malware work?
PhaseJam is a clever bash script that tricks system administrators. It displays a fake progress bar to simulate a legitimate system update, while in the background, it actively prevents the real update from being installed, ensuring the attacker’s malware survives.

What should I do if I use an affected Ivanti product?
Ivanti and CISA recommend you immediately run the Ivanti Integrity Checker Tool (ICT) to check for signs of compromise. You should also apply the available patches for Ivanti Connect Secure as soon as possible and monitor for the release of patches for other affected products.

Harper Jones
Harper Jones
Harper is an experienced content writer specializing in technology with expertise in simplifying complex technical concepts into easily understandable language. He has written for prestigious publications and online platforms, providing expert analysis on the latest technology trends, making his writing popular amongst readers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Share post:

Recent

More like this
Related

How to Get the Senior Discount for Amazon Prime Membership

Amazon Prime offers incredible convenience with its free shipping,...

How to Become an Amazon Delivery Driver: a Complete Guide

You can become an Amazon delivery driver by meeting...

China’s Underground Raves: a Secret Space for Youth Freedom

In the city of Changchun, China, a different kind...

How to Complain About an Amazon Driver for a Quick Resolution

When your Amazon package arrives late, damaged, or is...