A stack-based buffer overflow affects the Ivanti Connect Secure product prior to version 22.7R2.5, the Ivanti Policy Secure solution prior to version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3. The CVE has been tagged under reference CVE-2025-0282, and a CVSS score of 9.0 has been allocated to the flaw.
Ivanti mentioned in their release advisory that the successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution. The malicious activity was flagged on the day it occurred for the first time by the Integrity Checker Tool (ICT). Ivanti responded promptly and quickly developed a fix.
A patch to fix another high-severity flaw (CVE-2025-0283, CVSS score: 7.0) that allowed privilege escalation to a locally authenticated attacker was also released by Ivanti. The vulnerabilities addressed in version 22.7R2.5 are:-
• CVE-2025-0282 – Ivanti Connect Secure 22.7R2 through 22.7R2.4, Ivanti Neurons for ZTA gateways 22.7R2 through 22.7R2.3 and Ivanti Policy Secure 22.7R1 through 22.7R1.2.
• CVE-2025-0283 – Ivanti Connect Secure 22.7R2.4 and prior, 9.1R18.9 and prior, Ivanti Policy Secure 22.7R1.2 and prior, and Ivanti Neurons for ZTA gateways including and prior to version 22.7R2.3.
Mandiant Corp detailed its investigation into attacks exploiting CVE-2025-0282 and said it observed the deployment of the SPAWN ecosystem of malware. The use of SPAWN has been linked to a China-nexus threat actor dubbed UNC5337. As per the cybersecurity company, the exploitation of CVE-2025-0282 involves multiple actions, including disabling SELinux, blocking syslog forwarding, remounting the drive as read-write, executing scripts to deploy web shells, using sed to remove specific log entries from the debug and application logs, re-enabling SELinux, and remounting the drive.
One of the payloads executed using the shell script is another shell script that runs an ELF binary responsible for launching a shell script dropper, PHASEJAM, designed to maliciously modify the Ivanti Connect Secure appliance components. PHASEJAM also establishes persistence by stealthily blocking legitimate updates to the Ivanti appliance by rendering a fake HTML upgrade progress bar. On the other hand, the installer component associated with the SPAWN malware framework, SPAWNANT, maintains persistence across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process.
As per Mandiant, the post-exploitation activity included internal network reconnaissance, stealing application cache, launching LDAP queries to AD, and deploying DRYHOOK for credential harvesting. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply the patches by January 15, 2025.
