UNC5337 Strikes Again: Exploiting New Ivanti Vulnerabilities in a High-Stakes Cyber Battle

A Chinese-linked threat group is once again exploiting vulnerabilities in Ivanti remote access devices.

Last year saw numerous high-profile flaws affecting Ivanti appliances, including a critical authentication bypass in its Virtual Traffic Manager (vTM), a SQL injection bug in Endpoint Manager, multiple vulnerabilities in Cloud Services Appliance (CSA), and critical issues in Standalone Sentry and Neurons for IT Service Management (ITSM). The trouble began in January when two major vulnerabilities were discovered in Ivanti's Connect Secure (ICS) and Policy Secure gateways. These were actively exploited by UNC5337, a suspected Chinese-nexus threat actor linked to UNC5221.

Now, despite Ivanti’s pledge to prioritize secure-by-design practices, a new critical vulnerability in ICS has been uncovered. This flaw also affects Policy Secure and Neurons for Zero Trust Access (ZTA) gateways. Ivanti has additionally flagged a second, less critical vulnerability, which has yet to be exploited.

Sophisticated Threats and Challenges in Secure Engineering
Arctic Wolf CISO Adam Marrè highlighted the complexity of engineering secure systems, emphasizing that even secure-by-design principles cannot guarantee invulnerability to highly skilled attackers leveraging advanced techniques and resources.

New Ivanti Vulnerabilities

Researchers identified two notable security issues:

1. CVE-2025-0283: A "high" severity vulnerability with a CVSS score of 7.0, allowing attackers with authentication to escalate privileges on devices running affected versions of ICS, Policy Secure, and ZTA gateways.
2. CVE-2025-0282: A "critical" 9.0 CVSS vulnerability that permits unauthenticated attackers to execute code with root privileges. Researchers from watchTowr reverse-engineered an exploit for this flaw by comparing patched and unpatched versions of ICS.

Exploitation by UNC5337

Mandiant reported that CVE-2025-0282 has been exploited since mid-December. The attackers deployed the “Spawn” malware family, which includes:

• SpawnAnt: Installs malware and persists through system updates.
• SpawnMole: Manages communication with attacker infrastructure.
• SpawnSnail: An SSH backdoor.
• SpawnSloth: Manipulates logs to hide malicious activity.

Researchers also discovered additional malware, including DryHook, a Python script for credential theft, and PhaseJam, a bash script that executes remote commands and prevents legitimate updates by displaying a fake progress bar.

Mitigation and the Path Forward

Data from The ShadowServer Foundation indicates over 2,000 vulnerable ICS instances, primarily in the US, France, and Spain. Ivanti, alongside the Cybersecurity and Infrastructure Security Agency (CISA), has issued guidance for mitigating CVE-2025-0282. This includes running Ivanti’s Integrity Checker Tool (ICT) to detect infections and implementing patches promptly.

While Ivanti has patched ICS, updates for Policy Secure and ZTA gateways are scheduled for release on January 21. Ivanti assured that ZTA gateways cannot be exploited in production environments, and Policy Secure is designed to minimize exposure by not being internet-facing.

The Importance of Proactive Action

Experts urge administrators to act promptly to mitigate vulnerabilities, even if it requires temporary system downtime. Organizations that have historically responded swiftly to such threats often fare better than those that delay. Mandiant’s Matt Lin emphasized the significant workload involved in responding to vulnerabilities, which includes patching, assessing exposure, and incident response for potential breaches. Despite the challenges, prioritizing proactive measures remains critical to minimizing risk and impact.