A Chinese-linked cyber group, UNC5337, has resurfaced, exploiting yet another critical vulnerability in Ivanti’s remote access devices. Despite the vendor’s public pledge to embrace secure-by-design principles, this marks yet another chapter in a series of cybersecurity challenges.
A Year of Repeat Offenses
Ivanti’s struggle with vulnerabilities has been ongoing, leaving IT administrators perpetually on edge. Last year alone, the company dealt with major issues like SQL injection flaws, authentication bypasses, and critical bugs in its suite of appliances, including Virtual Traffic Manager and Endpoint Manager. The timeline was peppered with emergency patches and rising anxiety.
The UNC5337 group, believed to have ties to another Chinese entity, UNC5221, exploited significant flaws in Ivanti’s Connect Secure (ICS) and Policy Secure gateways as early as January last year. And now, the group is back, taking advantage of a fresh critical flaw in ICS that also impacts Policy Secure and Neurons for Zero Trust Access (ZTA) gateways.
“This isn’t about ease of exploitation,” says Arctic Wolf CISO Adam Marrè. “It’s a testament to the sophistication of UNC5337. Secure engineering is tough, but even following best practices doesn’t make systems unhackable.”
The Latest Vulnerabilities
Ivanti’s newest challenges are embodied in two vulnerabilities:
- CVE-2025-0283: A high-severity buffer overflow bug scoring 7.0/10 on the CVSS scale. This flaw could allow attackers to escalate privileges on devices but requires authentication.
- CVE-2025-0282: A critical flaw rated 9.0/10 on the CVSS scale. This vulnerability enables remote code execution without authentication, making it a higher threat. Security researchers from watchTowr reverse-engineered an exploit for this vulnerability, uncovering its potential after comparing patched and unpatched ICS versions.
UNC5337 has been exploiting CVE-2025-0282 since mid-December, using tools from its “Spawn” malware family. These include SpawnAnt for malware persistence, SpawnSnail as a backdoor, and SpawnSloth for log tampering. Researchers also found two unrelated malware tools, DryHook and PhaseJam, used to steal credentials and maintain persistence.
A Closer Look at the Tools of Exploitation
DryHook, a Python-based script, targets credentials stored on devices, while PhaseJam demonstrates a more creative approach. The bash shell script simulates a fake update process, showing administrators a convincing progress bar while quietly thwarting legitimate updates. This sleight of hand ensures the malware’s survival even through attempts to secure the system.
“It’s an ingenious way to trick administrators,” says Mandiant consultant Matt Lin. “These tools show a deep understanding of Ivanti’s systems.”
The Widespread Impact
According to data from The ShadowServer Foundation, more than 2,000 ICS instances remain vulnerable, primarily in the U.S., France, and Spain. The numbers reflect the challenges organizations face in keeping up with urgent patches and updates.
ShadowServer Foundation’s findings paint a stark picture:
- The U.S. has the highest number of potentially affected devices.
- France and Spain follow, highlighting the global reach of this vulnerability.
What Comes Next?
Ivanti, alongside the Cybersecurity and Infrastructure Security Agency (CISA), has issued guidance on mitigating CVE-2025-0282. Their recommendations include running Ivanti’s Integrity Checker Tool (ICT) to detect infections and applying patches immediately. However, there’s a caveat: while ICS patches are available, those for Policy Secure and ZTA gateways won’t arrive until January 21.
In a statement, Ivanti emphasized their rapid response. “Our ICT tool was instrumental in identifying exploitation as it happened, enabling us to quickly develop and release a fix,” a company spokesperson said. “We urge organizations to use ICT and monitor their systems closely.”
Marrè and Lin both underline the importance of swift action. However, Marrè also notes the strain on IT teams: “Fixing these vulnerabilities might mean downtime, which organizations often resist. But neglecting updates only increases risk.”
Lessons Learned and Lingering Questions
While Ivanti continues to address these vulnerabilities, the broader cybersecurity community faces mounting pressure. Administrators must not only patch vulnerabilities but also assess whether their systems were breached. If so, incident response efforts kick into high gear, creating a ripple effect across organizations.
“The exhaustion among defenders is real,” Lin adds. “These vulnerabilities don’t just demand technical fixes. They disrupt workflows, strain resources, and put teams through immense pressure.”
Ivanti’s challenges underscore a universal truth: even with secure-by-design principles, the battle against advanced threat actors like UNC5337 is far from over.