A newly discovered vulnerability in Ivanti Connect Secure VPN systems, called CVE-2025-0282, has been actively exploited by hackers to deploy custom malware. This critical security flaw affects older versions of Ivanti’s VPN appliances, including Connect Secure, Policy Secure, and Neurons for ZTA gateways. Despite the wide impact, Ivanti has clarified that the attacks are currently limited to a small number of users.
The problem was a stack-based buffer overflow that could be exploited by hackers using specially crafted requests to breach systems. The breaches were reported to have started in December 2024 by Mandiant, a leading cybersecurity firm. Hackers accessed the compromised devices using this flaw, disabled all important security settings, and installed malicious software.
New Malware Families Identified
During the course of the investigation, two other malware variants, Dryhook and Phasejam, were discovered on infected systems. There is no established connection between these malware families and any known hacking groups. In addition, hackers utilized a toolkit named Spawn, which is also used by suspected Chinese espionage groups.
Dryhook: This malware captures login credentials, such as usernames and passwords, during the authentication process.
Phasejam: A dropper that installs malicious web shells, allowing hackers to execute commands remotely.
How the Attack Works
The attack process involves several steps:
1. Identifying Targets: Hackers scan devices using specialized HTTP requests to identify vulnerable systems.
2. Exploitation: They exploit the CVE-2025-0282 flaw to bypass security.
3. Malware Deployment: They disable protections, modify system files, and install tools such as backdoors and tunneling utilities once inside.
4. Data Theft: They steal sensitive information, including session details and credentials. This data is often archived and staged for transfer via public servers.
5. Maintaining Access: Hackers alter upgrade processes, making their changes persist even after system updates.
When the vulnerability was discovered, more than 3,600 Ivanti VPN devices were exposed online. Although the number decreased to around 2,800 after the software patch, most systems are still exposed to this threat.
What Can Be Done?
To defend against this threat, Ivanti advises doing the following:
- Update Software: Install the latest version of Ivanti Connect Secure, version 22.7R2.5 or newer.
- Factory Reset: That would erase the entire malware infection by resetting the device.
- Monitor for Signs of Attack: That would use Mandiant's shared IoCs and detection rules to identify malicious activity.
Why it Matters
This makes it strongly essential for organizations to pay much heed to their cybersecurity. Hackers have become really intricate in operation, where they steal the most sensitive data from widely used systems such as VPNs. Businesses need to be alert and update their system with frequent revisions in the security policies to curb these threats.
