New 0-day revealed by Ivanti in Connect/Policy Secure and Neurons for ZTA

Summary

Two vulnerabilities were disclosed by Ivanti in their Connect Secure (ICS/ISA) VPN, Policy Secure and Neurons for ZTA solutions. One of them (CVE-2025-0282, link for our Vulnerability Intelligence feed i.e. "MVI-watch" clients) is believed to have been exploited in the wild in limited cases and Connect Secure solution only, thus as a 0-day.

Mandiant researchers observed that the CVE-2025-0282 vulnerability is being exploited by at least one Chinese state-sponsored threat actor identified as UNC5337, believed to be part of the UNC5221 cluster, since mid-December 2024. As a reminder, UNC5221 is a Chinese state-sponsored group that exploited other Ivanti critical 0-days (CVE-2023-46805 and CVE-2024-21887) in early 2024.

The other vulnerability (CVE-2025-0283, link for our Vulnerability Intelligence clients, subscribed to "MVI-watch") was not exploited according to the vendor.

CVE-2025-0282 is a critical unauthenticated RCE with a CVSS 3.0 score of 9 out of 10, found using outputs of their ICT checking tool. Only a limited number of versions of Connect Secure are impacted: 22.7R2 to 22.7R2.4 (thus from May 2024 to this day). Below versions are unaffected according to the vendor.

CVE-2025-0283 is less critical, as it was found by Ivanti and enables an authenticated user to elevate privileges locally (CVSS score of 7/10). It affects all Ivanti Connect Secure versions including the 9.x branch. The flaws affect the related products as well, i.e. Ivanti Policy Secure and Neurons for ZTA gateways.

Patches are available in version 22.7R2.5, along with a new version of their External and Internal Integrity Control Tool (ICT) checker. This updated tool remains the best solution to identify a possible compromise of your instance.

What You Should Do

Run the new External ICT checking tool and investigate any mismatched or suspicious file detected.

Update to the latest version of Connect Secure as soon as possible, if the external and internal ICT comes out clean. Out of an abundance of caution, Ivanti recommends everyone to factory reset the appliance before upgrading.

We advise you to hunt for any sign of compromise, including via suspicious behavior occurring since mid-December last year, in past ICT scan results and by running additional scans using the updated External ICT provided by Ivanti. Patching to the fixed version after a thorough investigation is highly recommended.

A few IOCs were shared by Mandiant: Orange Cyberdefense’s Datalake platform provides access to Indicators of Compromise (IoCs) related to this threat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for IoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us to prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or contact your representative.

Orange Cyberdefense’s MTI [protect] service offers the ability to automatically feed network-related IoCs into your security solutions. To learn more about this service and to find out which firewall, proxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted Solutions representative.

Please feel free to contact Orange Cyberdefense CERT if you suspect any potential compromise or if you require remediation expertise regarding this matter.

The Orange Cyberdefense CERT is tracking developments regarding these vulnerabilities and publishes World Watch advisories updates as new relevant information on this matter becomes available. More information on how to access this can be found here.

Additional information on exploitation

According to a technical report released by Mandiant, UNC5337 typically first sends HTTP requests from VPS providers or via the Tor network to the targeted appliance to determine if it runs a vulnerable version (22.7R2 to 22.7R2.4), with queries following this pattern:/dana-cached/hc/hc_launcher.22.7.2.2615.jar. If the appliance is vulnerable, UNC5337 launches the stack-based buffer overflow vulnerability to achieve unauthenticated remote code execution. Once within the appliance, UNC5337 disables SELinux (which defines access controls for applications, processes, and files on a system), blocks syslog forwarding, and remounts the file system to read-write to facilitate the installation of malware.

To maintain persistence within the network, UNC5337 has been observed using two different techniques:

• The first one, with a new malware dubbed PHASEJAM, aims to simulate fake system upgrades. PHASEJAM injects malicious code into the "DSUpgrade.pm" file, which handles the upgrade process. This code displays a fake HTML upgrade progress bar, tricking administrators into thinking that the upgrade is ongoing. It also blocks the execution of the legitimate upgrade command /pkg/dspkginstall, preventing the installation of the new version of the system. To bypass Ivanti’s ICT from finding out issues, PHASEJAM updates the manifest file with the SHA256 hash of the modified "DSUpgrade.pm" file.
• The second technique, with the already known malware SPAWNANT, aims to persist through system upgrades. Rather than blocking the upgrade, SPAWNANT copies its components (including the associated malware SPAWNMOLE and SPAWNSNAIL) to the new upgrade partition. It then modifies the “DSUpgrade.pm” file on that partition to set the environment variable “LD_PRELOAD” to “libupgrade.so”. “LD_PRELOAD” is an environment variable in Linux that allows specifying shared libraries to be loaded before any others, enabling the interception or overriding of standard library functions. By doing so, it forces the malicious library containing the SPAWNANT code to load before any other library, thus ensuring its persistence. In addition, SPAWNANT drops a webshell on the new partition and updates the ICT manifest file to avoid detection. This technique allows the attacker to maintain their presence even after an upgrade of the system.

UNC5337 also erases traces of their intrusion, using the sed command to remove specific entries from system and application logs. Then, the threat actor has been seen conducting post-exploitation activities. Using open-source tunnelers (not mentioned by Mandiant, but probably from the STOWAWAY family) or the SPAWNMOLE strain, communication is established between the appliance and a C2 server.

UNC5337 maps the victim’s internal network via tools built into the appliance, such as nmap and dig, and runs LDAP queries to identify other potentially vulnerable systems. Finally, UNC5337 exfiltrates sensitive information stored on the appliance and network, particularly the cache database, which potentially contains identifiers, session cookies, API keys, and certificates. They also deploy a new Python script called DRYHOOK to steal credentials from users who authenticate to the VPN appliance. DRYHOOK intercepts and logs credentials by modifying a system component named “DSAuth.pm”.

UNC5221 and UNC5337 are two Chinese state sponsored groups that engage in cyberespionage. Both groups exploited Ivanti 0-day vulnerabilities one a year ago, using the SPAWN malware strains at the time. The attribution of UNC5337 being part of UNC5221 is made only with a medium level of confidence by Mandiant.

The vulnerability has been added to the CISA Known Exploited Catalog, with US federal agencies needing to act before January 15, 2025.

Beyond Vulnerability Management

The latest Security Navigator 2025 from Orange Cyberdefense underscores the growing risks associated with unpatched vulnerabilities, highlighting the need for organizations to adopt a proactive approach to vulnerability management.

Orange Cyberdefense reviewed over 32,000 distinct CVEs in client’s environments, noting that patching delays create substantial risks for exploitation. VPNs and similar technologies are particularly at risk, as they often become prime targets for attackers due to their exposure and critical role in securing organizational networks.

To address these risks, Orange Cyberdefense advocates for adopting a threat-informed approach, including:

• Prioritization Using Advanced Tools: Leveraging systems like the Exploit Prediction Scoring System (EPSS) to focus on vulnerabilities most likely to be exploited, including high-severity zero-days.
• Vendor Collaboration: Proactively engaging with vendors to expedite patch availability and implementation.
• Holistic Vulnerability Management: Moving beyond reactive patching to a proactive strategy that incorporates continuous monitoring, timely patch deployment, and addressing root causes of systemic flaws.