216.73.217.64

Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation

· Published 09/01/2025 08:56 · Modified 09/01/2025 09:09

Export JSON

Essential information

Published
09/01/2025 08:56
Modified
09/01/2025 09:09
Tags
2025-01-09 credential-theft dryhook ivanti phasejam spawnant spawnsloth vpn
Related entities
4 vulnerabilities (cve), 7 observables, 1 intrusion sets (apt), 10 techniques (mitre), 6 malware

Description

A new zero-day vulnerability, CVE-2025-0282, in Connect Secure appliances has been exploited since mid-December 2024. The vulnerability allows unauthenticated remote code execution. Attackers have deployed multiple malware families, including SPAWN, , and , to maintain persistence, steal credentials, and evade detection. The attacks involve disabling security features, injecting web shells, blocking system upgrades, and performing network reconnaissance. Multiple threat actors may be involved, with some activity attributed to China-nexus groups UNC5337 and UNC5221. has released patches and recommends customers use their Integrity Checker Tool and implement security measures.

External references