On January 8, 2025, cybersecurity researchers from SecureIntel Labs disclosed a critical vulnerability, CVE-2025-0282, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways.

Background

CVE-2025-0282 is a stack-based buffer overflow vulnerability identified in versions of Ivanti products prior to Connect Secure 22.7R2.5, Policy Secure 22.7R1.2, and Neurons for ZTA gateways 22.7R2.3. Buffer overflow vulnerabilities occur when more data is written to a block of memory (the buffer) than it can hold, causing adjacent memory to be overwritten. In this case, the vulnerability arises in how Ivanti products handle specific inputs from unauthenticated remote requests. By sending specially crafted payloads, attackers can exploit this vulnerability to overwrite critical memory regions, allowing them to execute arbitrary code. This can include injecting malicious commands, disabling security features, or even installing persistent malware.

The flaw resides in the input validation processes within the affected products. Specifically, insufficient checks on input length and structure lead to conditions where memory corruption can occur. This makes the vulnerability particularly dangerous as it does not require authentication, enabling exploitation over the internet without prior access to the system. As these products are often deployed as critical gateways in Zero Trust architectures, the potential for widespread compromise is significant.

Exploitation

Version-specific exploitation has been noted, with attackers often performing reconnaissance by querying specific Host Checker Launcher files to determine the version of the appliance prior to exploitation. Known targets include files such as:

• /dana-cached/hc/hc_launcher.22.7.2.2615.jar

• /dana-cached/hc/hc_launcher.22.7.2.3191.jar

• /dana-cached/hc/hc_launcher.22.7.2.3221.jar

• /dana-cached/hc/hc_launcher.22.7.2.3431.jar

Once the version is confirmed, the exploitation script generally executes a series of actions, including disabling SELinux, blocking syslog forwarding via iptables, and remounting drives as read-write to deploy malware.

The typical exploit flow for CVE-2025-0282 includes:

1. Disabling SELinux with setenforce 0.

2. Blocking syslog forwarding via commands like:

iptables -A OUTPUT -p udp --dport 514 -j DROP
iptables -A OUTPUT -p tcp --dport 514 -j DROP



3. Remounting drives as read-write using mount -o remount,rw /.

4. Writing and executing shell scripts to deploy web shells and malware.

5. Cleaning up logs using tools like sed to remove entries from debug and application logs.

Deployed malware families include:

• PHASEJAM: A web shell dropper that modifies legitimate files like getComponent.cgi and restAuth.cgi, providing attackers remote access and command execution capabilities.

• SPAWNSNAIL: An SSH backdoor designed to facilitate remote persistence.

• DRYHOOK: A credential theft tool that modifies authentication components to harvest user credentials.

Attack Chain Example

1. Reconnaissance: The attacker begins by probing the Ivanti Connect Secure (ICS) VPN appliance to identify its version. This is achieved through repeated HTTP requests to specific Host Checker Launcher files, such as /dana-cached/hc/hc_launcher.*.jar. Requests originating from VPS providers or Tor exit nodes often indicate this phase.

2. Exploitation: Once the appliance version is confirmed, the attacker delivers a specially crafted payload to exploit the stack-based buffer overflow vulnerability. This payload is designed to overwrite critical memory regions, enabling arbitrary code execution.

3. Post-Exploitation Setup:

• Disable SELinux: setenforce 0 ensures the system's security policies are no longer enforced.

• Block Logs: Using iptables, syslog forwarding is disabled to prevent detection by external monitoring systems.

• Remount Drives: Drives are remounted with read-write permissions using mount -o remount,rw / to allow the deployment of malware.

4. Malware Deployment:

• Drop Web Shells: The attacker installs web shells into legitimate ICS files such as getComponent.cgi and restAuth.cgi, enabling persistent remote access and command execution.

• Deploy Credential Stealer: Tools like DRYHOOK modify authentication components to intercept and exfiltrate user credentials.

• Install Backdoors: Malware such as SPAWNSNAIL, an SSH backdoor, is deployed for persistent access.

5. Persistence Mechanisms:

• The attacker modifies system upgrade scripts (e.g., DSUpgrade.pm) to simulate a fake upgrade process while ensuring that malicious components remain intact.
  

• Malware such as SPAWNANT establishes persistence by hijacking binaries used during legitimate system upgrades.
  

6. Anti-Forensics:

• Kernel messages are cleared using dmesg -C.

• Log entries are scrubbed with sed commands to remove traces of exploitation.

• Temporary files and malware artifacts are deleted after deployment.

7. Lateral Movement:

• Using harvested credentials and tools like LDAP queries, the attacker explores the internal network.

• Tunnelers like SPAWNMOLE establish secure communication channels to bypass network security controls.

8. Data Exfiltration:

• Cached database files containing sensitive information, such as session cookies and API keys, are archived and staged for exfiltration.

• Credentials and other harvested data are encrypted and transferred to the attacker’s infrastructure.

Mitigation

Organizations using affected Ivanti products should prioritize patching as their first line of defense. Ivanti has released updates addressing this vulnerability, and all systems should be updated to the secure versions immediately.

Enhanced network monitoring should also be implemented to detect anomalous behavior indicative of exploitation attempts. It is equally important to review and tighten access controls, particularly for publicly exposed systems, to reduce potential attack surfaces. Developers and security teams can utilize resources such as NIST’s Vulnerability Database to understand and mitigate potential threats.

Indicators of Compromise

IoCs related to this activity include:

• Files modified or introduced, such as /home/webserver/htdocs/dana-na/jam/getComponent.cgi and /tmp/svb.

• Unusual network traffic from VPS providers or Tor networks targeting known Host Checker Launcher files.

• HTTP requests in sequential version order indicating pre-exploitation reconnaissance.

• Log anomalies, including cleared kernel messages (dmesg -C) and missing syslog entries.

Other IoCs include:

• Unusual spikes in network traffic to Ivanti gateways.

• Unexpected log entries indicating memory corruption errors or process crashes.

• Evidence of unauthorized administrative access attempts.

• Suspicious outbound connections originating from affected systems.

Administrators should monitor their logs for these IoCs and cross-reference against known malicious IPs or domains using tools like VirusTotal, AbuseIPDB, or Ivanti’s Integrity Checker Tool (ICT).

Attribution

Mandiant has linked the deployment of the SPAWN malware ecosystem on Ivanti Connect Secure appliances to UNC5337, a China-based espionage group. UNC5337 has been active since at least January 2024 and has exploited vulnerabilities such as CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) to compromise Ivanti devices. The group is known to use custom malware families including SPAWNSNAIL (an SSH backdoor), SPAWNMOLE (a tunneler), SPAWNANT (an installer), and SPAWNSLOTH (a log tampering utility). Mandiant assesses with medium confidence that UNC5337 operates under the broader UNC5221 umbrella.

UNC5221, also a China-linked actor, has targeted Ivanti Connect Secure and Policy Secure appliances since December 2023. They exploited CVE-2023-46805 and CVE-2024-21887 to deploy a suite of malware, including ZIPLINE (a passive backdoor), THINSPOOL (a dropper), LIGHTWIRE (a web shell), and WARPWIRE (a credential harvester). This actor also leveraged tools like PySoxy and BusyBox for post-exploitation activities and used a compromised network of Cyberoam appliances to facilitate their operations.

Looking Ahead

Conducting regular vulnerability assessments and penetration tests is an essential component of any robust cybersecurity strategy. By simulating real-world attack scenarios, these tests can uncover security gaps before malicious actors exploit them. Furthermore, implementing advanced logging and monitoring systems can provide the necessary visibility to detect and respond to attacks in real time.

Silent Breach provides specialized services to help organizations identify and address vulnerabilities like CVE-2025-0282. Our penetration testing teams simulate sophisticated attacks to identify weaknesses, while our SOC monitoring solutions enable continuous threat detection and rapid incident response. For organizations navigating compliance requirements, our expertise ensures alignment with standards such as ISO 27001 and SOC 2.

For more information on how your organization may be impacted by CVE-2025-0282 or for additional guidance, please contact Silent Breach at contact@silentbreach.com.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.