CVE-2025-0282: Ivanti Connect Secure Stack Overflow Zero-Day RCE
The third Ivanti Connect Secure zero-day in 13 months — an unauthenticated stack overflow enabling pre-authentication RCE, exploited by the same Chinese APT responsible for the 2024 ArcaneDoor campaign, with CISA ordering federal disconnection within 48 hours
CVE-2025-0282 is a critical pre-authentication stack-based buffer overflow in Ivanti Connect Secure — the third zero-day in the platform in 13 months — disclosed January 8, 2025. The flaw allows an unauthenticated attacker to execute arbitrary code on the VPN gateway with root-level privileges. Mandiant confirmed active exploitation by UNC5337 (a Chinese state-sponsored cluster linked to the 2024 Ivanti campaign actor UNC5221) beginning mid-December 2024, deploying updated versions of the SPAWN malware ecosystem including a new persistence framework designed to survive factory resets.
Technical Details: Stack Overflow in the Web Component
CVE-2025-0282 is a classic stack-based buffer overflow (CWE-121) in the web component of Ivanti Connect Secure — the same network-facing service that processes VPN authentication and management traffic. An attacker sends a specifically crafted request to the web interface that causes the component to write beyond the bounds of a stack-allocated buffer, overwriting the return address and enabling control of the instruction pointer.
Because this code path is reachable without authentication — it is processed before any credential validation occurs — the attack requires only network access to the HTTPS interface of the Connect Secure appliance. This is typically port 443, which is intentionally internet-exposed for VPN client access.
UNC5337 and the SPAWN Malware Ecosystem
Mandiant's investigation of CVE-2025-0282 exploitation identified UNC5337 deploying an updated version of the SPAWN malware family — a modular persistence framework first observed in the January 2024 Ivanti campaign:
**SPAWNANT**: An installer that plants the SPAWN components and configures persistence mechanisms that survive factory resets by writing to the appliance's Trusted Platform Module (TPM) storage or equivalent persistent partitions.
**SPAWNMOLE**: A tunneler enabling persistent covert network access from the compromised appliance.
**SPAWNSNAIL**: An SSH backdoor providing authenticated access to the appliance's underlying operating system.
**DRYHOOK and PHASEJAM (new in 2025)**: Additional credential harvesting and persistence components specific to the CVE-2025-0282 campaign, not previously observed in the 2024 SPAWN deployments.
The engineering of SPAWNANT to survive factory resets — the standard remediation recommendation — represents a significant escalation in persistence sophistication over the 2024 campaign.
Unauthenticated Stack Overflow via Web Interface
Attacker sends crafted HTTPS request to Ivanti Connect Secure's internet-facing port 443. The stack overflow in the web component triggers controlled code execution without any authentication.
PHASEJAM Webshell Deployed
Initial persistence established via PHASEJAM, a webshell installer that modifies the Ivanti Connect Secure upgrade and health-check scripts to maintain persistence across standard upgrade procedures.
SPAWN Ecosystem Installed
SPAWNANT deploys SPAWNMOLE (tunneler), SPAWNSNAIL (SSH backdoor), and DRYHOOK (credential harvester) to establish multi-layered persistence including mechanisms designed to survive factory resets.
VPN Credential Harvesting
DRYHOOK intercepts authentication events on the compromised gateway, harvesting VPN credentials for all users authenticating through the device.
Covert Long-Term Access
SPAWNMOLE tunneler enables covert network access into the organization's internal network via the compromised VPN gateway, supporting long-term espionage without detectable authentication events.
Detection
Detection for CVE-2025-0282 exploitation requires device-level inspection beyond standard network monitoring:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| ICT (Integrity Checker Tool) output showing modified or unexpected files in the Ivanti Connect Secure filesystem | Ivanti ICT — filesystem integrity | Ivanti's ICT is the primary detection mechanism; run before and after any remediation action. Understand its limitations — SPAWNANT may evade ICT by targeting persistence locations the ICT does not cover |
| Modifications to upgrade.sh or health-check scripts on the Connect Secure appliance | Ivanti Connect Secure filesystem | PHASEJAM modifies these scripts to maintain persistence across upgrades; compare file hashes against Ivanti's published firmware manifest |
| Unexpected SSH daemon activity or additional SSH keys in authorized_keys on the appliance | Ivanti Connect Secure OS — SSH configuration | SPAWNSNAIL installs an SSH backdoor; audit authorized_keys files and running processes for unexpected SSH daemon instances |
| Anomalous outbound tunneling traffic from the Ivanti Connect Secure appliance to external IPs | Network telemetry | SPAWNMOLE's tunneling traffic may appear as unusual long-lived connections from the appliance to external infrastructure; baseline normal egress traffic and alert on deviations |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Critical note: standard patching and factory reset may be insufficient for compromised devices.
Upgrade to Ivanti Connect Secure 22.7R2.5 or later
The patch for CVE-2025-0282 is included in Connect Secure 22.7R2.5, Policy Secure 22.7R1.2, and Neurons for ZTA Gateways 22.7R2.3. Apply immediately to all affected appliances.
Run the Ivanti Integrity Checker Tool before and after patching
Execute the ICT to check for filesystem modifications consistent with compromise. If the ICT reports anomalies, proceed to factory reset — do not simply apply the patch over a potentially compromised device.
Perform a factory reset for devices that were internet-exposed before patching
Ivanti and CISA recommend factory resetting any device that was internet-facing during the potential exploitation window (mid-December 2024 onward). Apply the patched firmware only after a confirmed clean reset. Note that SPAWNANT was engineered to survive factory resets — contact Ivanti support for guidance on verification procedures specific to post-SPAWNANT devices.
Restrict management interface exposure
The CVE-2025-0282 attack surface is the internet-facing HTTPS port. While this is required for VPN client access, restrict management-plane access (CLI, admin UI) to trusted IP ranges only via ACLs on the device.
Rotate all VPN credentials and review internal access
Rotate all VPN user credentials for any gateway that may have been compromised. DRYHOOK was deployed specifically for credential harvesting. Review internal network access logs for anomalous activity originating from the VPN IP segment during the compromise window.
The bottom line
CVE-2025-0282 is the third pre-authentication zero-day in Ivanti Connect Secure in 13 months, all attributed to the same Chinese APT cluster. The SPAWN malware ecosystem's evolution — now capable of surviving factory resets — demonstrates an actor that has studied and countered every standard remediation step. This pattern has shifted the Ivanti Connect Secure risk calculus: the question is not whether your device has been targeted, but whether your remediation was thorough enough to evict a persistence framework specifically engineered to survive it. Organizations that cannot achieve full confidence in appliance integrity should evaluate replacing rather than remediating.
Frequently asked questions
What is CVE-2025-0282?
CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure's web component that allows an unauthenticated remote attacker to achieve remote code execution on the VPN gateway appliance. It was exploited as a zero-day by UNC5337, a Chinese state-sponsored threat actor, beginning in mid-December 2024 before Ivanti's January 2025 disclosure.
Is CVE-2025-0282 related to the 2024 Ivanti zero-days (CVE-2023-46805 / CVE-2024-21887)?
CVE-2025-0282 is a separate vulnerability from the January 2024 Ivanti zero-day chain (CVE-2023-46805 + CVE-2024-21887). However, the same Chinese APT cluster (Mandiant tracks UNC5337, linked to UNC5221 from the 2024 campaign) is responsible for exploiting both. The recurrence indicates sustained offensive investment in Ivanti Connect Secure research.
Does CVE-2025-0282 affect Ivanti VPN clients?
No. CVE-2025-0282 is a server-side vulnerability in the Ivanti Connect Secure gateway appliance. VPN client software running on endpoints is not affected. However, users who authenticated through a compromised gateway should be considered potentially exposed to credential harvesting.
Is a factory reset required, or is patching sufficient?
For devices that were internet-facing before patching, Ivanti and CISA recommend running the Ivanti Integrity Checker Tool (ICT) and, if any indicators are found, performing a factory reset before applying the patch. Applying the patch alone does not evict a threat actor who has already established persistence on the device.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.