In mid-December 2024, Ivanti raised the alarm over a critical security flaw impacting its Connect Secure, Policy Secure, and ZTA Gateways that came under active exploitation. This flaw, CVE-2025-0282, has a CVSS score of 9.0 and is a stack-based buffer overflow vulnerability that affects multiple versions of Ivanti’s software, including Connect Secure before version 22.7R2.5, Policy Secure before version 22.7R1.2, and Neurons for ZTA Gateways before version 22.7R2.3. Ivanti has warned that successful exploitation of this flaw could lead to unauthenticated remote code execution, posing a severe threat to affected systems. Ivanti’s advisory notes that threat actor activity was detected by the Integrity Checker Tool on the same day it occurred, allowing the company to respond quickly and develop a fix.
Ivanti also patched another high-severity flaw, CVE-2025-0283, which has a CVSS score of 7.0. This vulnerability allows locally authenticated attackers to escalate their privileges. Although Ivanti confirmed a limited number of customers had their appliances exploited due to CVE-2025-0282, there is no evidence that CVE-2025-0283 has been weaponized. Google-owned Mandiant, detailing its investigation into these attacks, observed the deployment of the SPAWN malware ecosystem across several compromised devices from multiple organizations. The use of SPAWN is attributed to a China-nexus threat actor, UNC5337, possibly connected to UNC5221. The attacks also resulted in the installation of previously undocumented malware families dubbed DRYHOOK and PHASEJAM, which have yet to be linked to any known threat actor or group.
Conduct Internal Network Exploration Using Built-in Utilities Like nmap and dig
One of the initial steps threat actors have taken in exploiting CVE-2025-0282 involves conducting internal network reconnaissance using built-in tools like nmap and dig. By leveraging these utilities, attackers can map out the network’s structure, identify active devices, scan for open ports, and determine the landscape of potential targets within the compromised environment. Tools like nmap allow attackers to discover services running on each host, giving them the information they need to plan further infiltration and exploitation activities.
Once attackers gain access to an internal network, they often focus on high-value targets such as domain controllers, databases, and file servers. Using tools like nmap and dig enables them to methodically explore the network while remaining under the radar, avoiding detection by security mechanisms. It’s crucial for organizations to monitor for unusual network scanning activity and to harden key systems against unauthorized access to limit the potential damage from such reconnaissance actions.
Utilize the LDAP Service Account to Execute LDAP Queries and Navigate Laterally Within the Network, Including Active Directory Servers, via SMB or RDP
After mapping out the network, attackers commonly leverage the LDAP service account to execute LDAP queries and move laterally within the network. This tactic allows them to access and manipulate directory information, making it easier to navigate to critical resources such as Active Directory servers. By using LDAP queries, attackers can gather details about users, groups, and permissions, which are invaluable for planning subsequent steps in the attack.
Navigating laterally within the network often involves using protocols like SMB (Server Message Block) or RDP (Remote Desktop Protocol). Attackers use these methods to connect to and control other devices within the compromised network. Lateral movement techniques are crucial for accessing sensitive data and gaining control over critical systems. Organizations should ensure that their security controls can detect and respond to anomalous LDAP queries and SMB or RDP activities to mitigate the risk of lateral movement within their networks.
Extract the Application Cache Database Containing Details Related to VPN Sessions, Session Cookies, API Keys, Certificates, and Credential Material
Another significant step in exploiting CVE-2025-0282 involves extracting the application cache database, which contains crucial information such as VPN session details, session cookies, API keys, certificates, and credential material. This data is invaluable for attackers, as it can be used to impersonate legitimate users, gain unauthorized access to applications, and compromise additional systems within the network.
The application cache database holds sensitive information that, if accessed by attackers, can lead to the escalation of their privileges and further exploitation of the network. By obtaining session cookies and API keys, attackers can bypass authentication mechanisms and interact with applications as authorized users. Certificates and credential material can be used to decrypt communications and gain access to encrypted data, further compromising the security of the network. It’s vital for organizations to protect their application cache databases and monitor for any unauthorized access attempts.
Implement a Python Script Named DRYHOOK to Collect Credentials
In mid-December 2024, Ivanti warned of a severe security vulnerability affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways, identified as CVE-2025-0282. This flaw, with a CVSS score of 9.0, is a stack-based buffer overflow issue impacting various versions of Ivanti’s software: Connect Secure versions prior to 22.7R2.5, Policy Secure versions before 22.7R1.2, and Neurons for ZTA Gateways versions before 22.7R2.3. Exploiting this flaw can lead to unauthenticated remote code execution, posing a significant threat to the security of affected systems. Ivanti caught threat actor activity with the Integrity Checker Tool the same day, enabling a prompt response and fix.
Additionally, Ivanti rectified another high-risk flaw, CVE-2025-0283, with a CVSS score of 7.0, which lets locally authenticated attackers escalate privileges. Although few customers’ appliances were compromised due to CVE-2025-0282, there’s no evidence that CVE-2025-0283 has been exploited. Google-owned Mandiant’s investigation into these incidents noted the presence of the SPAWN malware ecosystem across several affected devices from different organizations, suggesting involvement of a China-nexus threat actor, UNC5337, potentially linked to UNC5221. The attacks also installed two previously undocumented malware families, DRYHOOK and PHASEJAM, which remain unattributed to any known groups.