Ivanti disclosed CVE-2025-0282 on January 8, 2025. Mandiant’s retrospective analysis placed active exploitation in December 2024 — at least 12 days prior. During that window, organizations running Ivanti Connect Secure had no patch to apply, no advisory to act on, and no way to know they were being targeted. The patch was written. The attackers already had root.
This is the third time this has happened in 12 months.
The Vulnerability
CVE-2025-0282 is a stack-based buffer overflow in the IKEv2 authentication handler of Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CVSS 9.0. Unauthenticated. Network-accessible. The overflow occurs when the appliance processes a crafted IKEv2 packet — before any authentication check runs. Exploitation gives remote code execution as root on the appliance.
CVE-2025-0283 ships as a companion: a local privilege escalation, CVSS 7.0, that takes a limited post-exploitation service account foothold to root. The two together represent a complete pre-authentication to full compromise chain.
The IKEv2 handler processes traffic from the internet. That’s the design. It has to be exposed because the appliance is the VPN gateway. The attack surface isn’t a misconfiguration — it’s the product.
The Actor
UNC5337, assessed as a Chinese nexus APT with substantial overlap with UNC5221 — the same actor attributed to the January 2024 exploitation campaign. The thread from prior Ivanti targeting runs directly into this one.
The post-exploitation tooling in this campaign is named by Mandiant as the SPAWN family.
SPAWNANT handles installation and persistence. It patches legitimate Ivanti processes in memory, embedding the implant into running process space without touching disk in the conventional sense.
SPAWNMOLE is a SOCKS5 tunneling proxy. C2 traffic proxies through it and blends with legitimate Ivanti management traffic on the appliance — traffic that your network monitoring is, by necessity, trusting.
SPAWNSNAIL is an SSH backdoor on an internal port. The notable attribute: it survives factory reset. Ivanti’s factory reset procedure restores components from a known-good baseline. SPAWNSNAIL patches into components that are part of that restoration process. The reset restores the backdoored version.
PHASEJAM is a web shell dropper with a specific target: Ivanti’s Integrity Checker Tool (ICT). Ivanti provides ICT so organizations can verify the appliance hasn’t been tampered with. PHASEJAM patches ICT to return clean results while the implants persist. The integrity checker attests that the host is clean. The host is not clean. The attestation mechanism and the thing it’s attesting are running in the same compromised environment.
DRYHOOK is a credential harvester targeting authentication processes directly — capturing credentials as they pass through the appliance’s authentication stack.
The Pattern
Three separate critical exploitation events in 12 months, all against Ivanti Connect Secure, all attributed to Chinese APT infrastructure:
January 2024: CVE-2024-21887 (command injection) combined with CVE-2024-21893 (SSRF). Exploited in the wild before a patch was available. Attributed to UNC5221.
September 2024: CVE-2024-8963 (path traversal) combined with CVE-2024-8190 (OS command injection). Exploited as zero-days. Same product, same access model, same outcome.
January 2025: CVE-2025-0282. Exploited before disclosure. At least 12 days of pre-patch exposure on a network-facing appliance.
The interval is approximately six months between each event. Each one exploited before or immediately at disclosure. Each one attributed to the same general actor cluster.
“Exploited before disclosure” has two explanations. The first: the actor found the vulnerability independently through their own research on the Ivanti codebase. The second: the actor had some visibility into Ivanti’s internal vulnerability research or patch development process — a supply chain compromise, a recruited insider, an observable build pipeline, or an attacker who is simply very fast at reverse-engineering patch deltas.
The first explanation is plausible once. Three times in 12 months, same product, same actor, shifts the prior. It doesn’t prove the second explanation, but it makes the first one feel like motivated reasoning.
PHASEJAM’s targeting of ICT specifically argues for architectural knowledge. You don’t build a tool that neutralizes a specific integrity checker unless you know the checker exists, understand how it works, and have had time to build a bypass before deployment. That’s not the behavior of an actor who stumbled onto a bug. That’s preparation.
The Appliance Problem
Ivanti Connect Secure runs as an embedded Linux appliance, exposed to the internet by design. The attack surface — IKEv2 handler, web interface, SAML processing, REST APIs — is entirely network-facing and mostly pre-authentication.
The appliance model creates a structural problem for defenders. You can’t apply OS-level patches independent of Ivanti’s release cycle. You can’t run your own EDR on it. You can’t instrument the runtime environment. You can’t inspect what’s running inside the appliance without Ivanti’s tooling. When Ivanti provides ICT as the integrity verification mechanism and PHASEJAM patches ICT, the entire verification model collapses — and you have no fallback because you don’t have access to the environment.
The only tools available to defenders are: network traffic analysis (which SPAWNMOLE is specifically designed to defeat by blending with legitimate traffic), Ivanti’s own tooling (which PHASEJAM patches), and external attestation (which doesn’t exist in this deployment model).
What Organizations Actually Do
Ivanti Connect Secure is widely deployed because it works. It’s the successor to Pulse Secure, which organizations standardized on over years of operation. Migration to a different VPN solution is measured in months — inventory, testing, parallel operation, user training, decommission. You can’t migrate in response to a disclosure.
The 12-day pre-disclosure exploitation window on CVE-2025-0282 is the interval during which organizations were undefended by definition. No patch, no advisory, no indicator of compromise released yet. The only mitigation available in that window was not running the product — which is not a realistic option for organizations that depend on it for remote access.
This is the actual cost of the appliance security model: when the attestation mechanism is compromised, when the factory reset restores the backdoor, when C2 traffic is indistinguishable from management traffic, defenders have no lever to pull. They find out they were compromised when Mandiant publishes a report, weeks later.
The pattern is clear. Three cycles, six-month intervals, same actor. The next one is already being written.
PGP signature: ivanti-the-vulnerability-subscription.md.asc — Key fingerprint: 5FD2 1B4F E7E4 A3CA 7971 CB09 DE66 3978 8E09 1026