Ivanti Connect Secure zero-day CVE-2025-0282 exploited by UNC5221 (China-nexus)

📅 2024-12-15 🏢 Ivanti Connect Secure VPN / Ivanti Policy Secure / Ivanti ZTA Gateways 🦠 SPAWN ecosystem (SPAWNANT installer, SPAWNMOLE tunneller, SPAWNSNAIL SSH backdoor, SPAWNSLOTH log tamper tool) 🔎 CVE-2025-0282 · CVE-2025-0283

Primary Source ↗

Incident Details

CVE-2025-0282 is an unauthenticated stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways enabling remote code execution. Mandiant identified zero-day exploitation beginning mid-December 2024 by UNC5221/UNC5337 (China-nexus espionage). Ivanti disclosed 8 January 2025 with a patch. Post-exploitation chain: disable SELinux, prevent syslog forwarding, remount filesystem read-write, drop webshells, remove log evidence, deploy SPAWN malware ecosystem. 33,000+ exposed ICS instances globally at time of disclosure. CISA added to KEV catalog. Predecessor campaigns by UNC5221 also exploited CVE-2023-46805 and CVE-2024-21887 in December 2023.

Technical Details

Initial Attack Vector: CWE-121: Stack-based Buffer Overflow (CVE-2025-0282 — unauthenticated stack-based buffer overflow enabling RCE)
Vendor / Product: Ivanti Connect Secure VPN / Ivanti Policy Secure / Ivanti ZTA Gateways
Malware Family: SPAWN ecosystem (SPAWNANT installer, SPAWNMOLE tunneller, SPAWNSNAIL SSH backdoor, SPAWNSLOTH log tamper tool)
CVE / GHSA References: CVE-2025-0282 CVE-2025-0283

Timeline

2024-12-15 Breach occurred
2025-01-08 Publicly disclosed
2025-01-08 Customers notified