Ivanti Connect Secure VPN Faces New Zero-Day Security Threat
On Wednesday, January 8, 2025, Ivanti informed its customers about two security vulnerabilities, CVE-2025-0282 and CVE-2025-0283, which have been patched in the company's Connect Secure VPN (ICS) devices.
Information about CVE-2025-0282
Vulnerability ID: CVE-2025-0282
Severity Level: Critical
CVSSv3 Score: 9.0
General Description: A stack buffer overflow vulnerability that allows attackers to execute arbitrary code remotely without authentication.
Affected Versions:
Ivanti Connect Secure versions prior to 22.7R2.5
Ivanti Policy Secure versions prior to 22.7R1.2
Ivanti Neurons for ZTA gateways versions prior to 22.7R2.3
Attack Campaign Related to CVE-2025-0282
Mandiant, the unit investigating this attack, revealed that the exploitation is linked to threat actors from China. Mandiant believes that the exploitation of CVE-2025-0282 began in mid-December 2024. The attackers deployed malware from the Spawn family, believed to be used by a Chinese-linked espionage group tracked as UNC5337.
The Spawn malware family includes the SpawnAnt installer, SpawnMole tunneler, and an SSH backdoor named SpawnSnail.
Additionally, in attacks related to the exploitation of CVE-2025-0282, security experts also discovered previously unknown malware families named DryHook and PhaseJam. These malware have not yet been linked to any known threat group.
Exploitation Method
The exploitation process of CVE-2025-0282 is typically carried out through the following steps:
Disable SELinux
Prevent syslog from being sent out
Remount the drive with read-write permissions
Create a script
Execute the script
Deploy one or more web shells
Use
sedto delete specific logs from the debug log and application logRe-enable SELinux
Remount the drive
Disabling Defense Systems
Immediately after a successful exploit, the attacker will disable SELinux, use iptables to block syslog sending, and remount the root partition to allow malware to be written to the device.
Figure 1. Command used to disable defense systems
Preparing Malware
The attacker echoes a base64-encoded script into /tmp/.t, then sets execution permissions on this file.
Figure 2. Content of file /tmp/.t
Next, the attacker writes a Base-64 encoded ELF binary file into /tmp/svb. The first ELF binary uses setuid to set the process owner to root. It then executes /tmp/s (PHASEJAM), which inherits the root privileges of the parent process. The hacker then uses dd to overwrite the svb file with zeros and deletes /tmp/.t.
Figure 3. Commands to create malicious script on the system
PHASEJAM Malware
PHASEJAM is a dropper written as a malicious bash shell script that modifies components of the Ivanti Connect Secure device. The main functions of PHASEJAM are to insert a web shell into the getComponent.cgi and restAuth.cgi files, block system upgrades by modifying the DSUpgrade.pm file, and overwrite the remotedebug executable to execute arbitrary commands.
Webshell Feature
PHASEJAM inserts a web shell into legitimate files getComponent.cgi and restAuth.cgi as a function named AccessAllow(). The web shell is Perl-based and provides attackers with remote access and code execution capabilities on the compromised ICS server. It uses the MIME::Base64 module to encode and decode commands and data.
Patch Update Blocking Feature
To block patch updates, PHASEJAM inserts a malicious processUpgradeDisplay() function into the /home/perl/DSUpgrade.pm file. This function aims to spoof the upgrade process, which includes 13 steps. When administrators upgrade, this function displays a visual update interface, showing each step to simulate an ongoing update process.
Remotedebug Hooking Feature
PHASEJAM renames the /home/bin/remotedebug file to remotedebug.bak. PHASEJAM writes a new shell script /home/bin/remotedebug to hook calls to remotedebug. This shell script checks for a new -c parameter that allows the web shell to execute remote code. All other parameters are passed through remotedebug.bak.
Anti-forensics Techniques
After exploitation, the attacker performed evidence deletion from the device to hide traces:
Delete kernel messages using
dmesgand delete debug logs generated during exploitationDelete troubleshoot information packages (state backups) and any core dumps created from crashed processes
Delete application event logs related to syslog errors, internal ICT errors, crashes, and certificate handling errors
Delete the history of executed commands from the SELinux audit log
Figure 4. Commands in the malicious script to delete specific logs on the system
Malware Persistence Techniques During System Upgrades
Security experts identified two techniques used by attackers to maintain activity through system upgrades on compromised Ivanti Connect Secure devices.
Fake System Upgrades
The first technique, used by PHASEJAM malware, prevents ICS system upgrade actions by administrators by displaying a fake upgrade progress bar while silently blocking legitimate upgrade processes. Since the upgrade is effectively blocked, this technique ensures that the attacker's backdoor and tools remain on the system.
Persistence During Upgrade
SPAWNANT is malware that can persist throughout the system upgrade process. It hijacks the execution flow of dspkginstall, a binary used during system upgrades, by exporting a malicious snprintf function containing a persistence mechanism.
Unlike the above method, SPAWNANT does not block the upgrade process. It persists through the upgrade by ensuring itself and its components are moved to the new upgrade partition (mounted on /tmp/data/ during a valid system upgrade).
Malware Activities After Successful Exploitation
Establishing Tunnels for C2 Server Communication
After successfully exploiting a device, the attacker uses various tunnels to create communication channels between the compromised device and the C2 server. These tunnels allow the attacker to bypass network security measures and facilitate further lateral movement into the victim's system.
One of the tunnels in this campaign is SPAWNMOLE, a tunneler injected into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker to be forwarded to a specific server controlled by the attacker. Normal traffic is forwarded to legitimate web servers.
Internal Network Scanning
Hackers used several tools to perform internal network scanning. They used built-in tools in the ICS device such as nmap and dig. They also used LDAP service accounts, if configured, to perform LDAP queries. LDAP service accounts are also believed to be used for lateral movement within the network, including Active Directory servers, via SMB or RDP.
Stealing Device Database Cache
The attacker stores the database cache data of the compromised device and uploads it to a public web directory to exfiltrate the data. The database cache may contain information related to VPN sessions, session cookies, API keys, certificates, and credential documents.
Credential Harvesting
Security experts observed that the attacker deployed a Python script named DRYHOOK to steal login credentials. The malware is designed to modify a system component named DSAuth.pm belonging to Ivanti Connect Secure to collect information about successful authentications.
List of IOCs involved in the campaign
| Code Family | Filename | Description |
| DRYHOOK | n/a | Credential Theft Tool |
| PHASEJAM | /tmp/s | Web Shell dropper |
| PHASEJAM Webshell | /home/webserver/htdocs/dana-na/jam/getComponent.cgi | Web Shell |
| PHASEJAM Webshell | /home/webserver/htdocs/dana-na/auth/restAuth.cgi | Web Shell |
| SPAWNSNAIL | /root/home/lib/libsshd.so | SSH backdoor |
| SPAWNMOLE | /root/home/lib/libsocks5.so | Tunneler |
| SPAWNANT | /root/lib/libupgrade.so | Installer |
| SPAWNSLOTH | /tmp/.liblogblock.so | Log tampering utility |
Yara rule
rule M_APT_Installer_SPAWNSNAIL_1
{
meta:
author = "Mandiant"
description = "Detects SPAWNSNAIL. SPAWNSNAIL is an SSH
backdoor targeting Ivanti devices. It has an ability to inject a specified
binary to other process, running local SSH backdoor when injected to
dsmdm process, as well as injecting additional malware to dslogserver"
md5 = "e7d24813535f74187db31d4114f607a1"
strings:
$priv = "PRIVATE KEY-----" ascii fullword
$key1 = "%d/id_ed25519" ascii fullword
$key2 = "%d/id_ecdsa" ascii fullword
$key3 = "%d/id_rsa" ascii fullword
$sl1 = "[selinux] enforce" ascii fullword
$sl2 = "DSVersion::getReleaseStr()" ascii fullword
$ssh1 = "ssh_set_server_callbacks" ascii fullword
$ssh2 = "ssh_handle_key_exchange" ascii fullword
$ssh3 = "ssh_add_set_channel_callbacks" ascii fullword
$ssh4 = "ssh_channel_close" ascii fullword
condition:
uint32(0) == 0x464c457f and $priv and any of ($key*)
and any of ($sl*) and any of ($ssh*)
}
rule M_APT_Installer_SPAWNANT_1
{
meta:
author = "Mandiant"
description = "Detects SPAWNANT. SPAWNANT is an
Installer targeting Ivanti devices. Its purpose is to persistently
install other malware from the SPAWN family (SPAWNSNAIL,
SPAWNMOLE) as well as drop additional webshells on the box."
strings:
$s1 = "dspkginstall" ascii fullword
$s2 = "vsnprintf" ascii fullword
$s3 = "bom_files" ascii fullword
$s4 = "do-install" ascii
$s5 = "ld.so.preload" ascii
$s6 = "LD_PRELOAD" ascii
$s7 = "scanner.py" ascii
condition:
uint32(0) == 0x464c457f and 5 of ($s*)
}
rule M_Tunneler_SPAWNMOLE_3
{
meta:
author = "Mandiant"
description = "Hunting rule looking for strings and code
identified in SPAWNMOLE samples"
md5 = "a638fd203ddb540d0484d8e00490df06"
strings:
$str1 = "/proc/self/exe"
$str2 = "/proc/%d/maps"
$str3 = "=> encrypt buf"
$str4 = "=> decrypt buf"
$str5 = "%s <malformed>"
$comparison1 = { 3C 16 74 [1] 0F B6 [2] 3C 03 74 [1] 0F B6 [2] 3C 01 0F 85 }
$comparison2 = { 81 [2] E2 E3 49 FB 0F 85 [4] 81 [2] 61 83 C3 1B 0F 85}
$code1 = { 8D 55 B8 8B 45 F0 01 D0 0F B6 10 8B 4D F0 8B 45 0C 01 C8 0F
B6 00 31 C2 8D 4D B8 8B 45 F0 01 C8 88 10 83 45 F0 01 83 7D F0 2F 7E D4 }
$code2 = { 81 7D E8 E2 E3 49 FB 0F 85 CD 00 00 00 81 7D E4 61 83 C3 1B }
condition:
uint32(0) == 0x464c457f and
(all of ($s*)) and
(1 of ($comparison*)) and
(1 of ($code*))
}
rule M_Dropper_PHASEJAM_1 {
meta:
author = "Mandiant"
description = "Hunting rule looking for strings identified in the
PHASEJAM dropper"
md5 = "d18e5425ecd9608ecb992606b974e15d"
strings:
$str1 = "AccessAllow()"
$str2 = "/jam/getComponent.cgi"
$str3 = "jam/getComponent.cgi.bak"
$str4 = "sh=$(echo CnN1Y"
$str5 = "up=$(echo CnN1Y"
$str6 = "grep -q 'sub AccessAllow()'"
$str7 = "cp -f /home/bin/remotedebug /home/bin/remotedebug.bak"
$str8 = "chmod 777 /home/bin/remotedebug.bak"
$str9 = "cp -f /home/perl/DSUpgrade.pm /home/perl/DSUpgrade.pm.bak"
$str10 = "pkill cgi-server"
condition:
8 of them and filesize < 20KB
}
rule M_Credtheft_DRYHOOK_1 {
meta:
author = "Mandiant"
description = "Hunting rule looking for strings identified in
the DRYHOOK credential stealer"
md5 = "61bb586dc4e047ab081ef6ca65684e48"
strings:
$str1 = "/home/perl/DSAuth.pm"
$str2 = "replace_content"
$str3 = "replace1_content"
$str4 = "replace2_content"
$str5 = "pkill cgi-server"
$str6 = "setPrompt ="
$str7 = "runSignin = \\*DSAuthc::RealmSignin_runSignin"
$str8 = "/bin/mount -o remount,rw / > /dev/null 2>&1"
$str9 = {64 61 74 61 20 3d 20 72 65 2e 73 75 62 28 62 22
5c 2a 72 75 6e 53 69 67 6e 69 6e 45 42 53 4c 20 3d 2e 2a 3b 22 2c
62 61 73 65 36 34 2e 62 36 34 64 65 63 6f 64 65 28 72 65 70 6c 61
63 65 32 5f 63 6f 6e 74 65 6e 74 2e 65 6e 63 6f 64 65 28 29 29 2e 64
65 63 6f 64 65 28 29 2e 65 6e 63 6f 64 65 28 22 75 6e 69 63 6f 64 65
5f 65 73 63 61 70 65 22 29 2c 64 61 74 61 29}
condition:
8 of them and filesize < 20KB
}
Recommendations
FPT Threat Intelligence recommends organizations and individuals take the following measures to prevent this campaign:
Update patches: Apply the latest patches from Ivanti.
Use integrity checking tools (ICT): Utilize both internal and external integrity checking tools from Ivanti.
Reset the device if there are signs of successful exploitation: Restore factory settings to remove malware and ensure the device operates with software version 22.7R2.5.
