Mandiant links Ivanti zero-day exploitation to Chinese hackers

Mandiant connected the recent zero-day attack against Ivanti Connect Secure VPN appliances to UNC5337, the same China-nexus threat actor that was tied to the exploitation of two Ivanti zero-day flaws one year ago.

In a blog post published on Wednesday, Mandiant detailed an attack campaign involving a zero-day vulnerability, tracked as CVE-2025-0282, discovered in Ivanti Connect Secure (ICS), Ivanti Policy and ZTA Gateways. Ivanti disclosed the flaw on Wednesday and warned users that it was being exploited in the wild. Patches are available, and users are urged to apply fixes as Ivanti products have proved to be a popular target for attackers.

Mandiant said it initially observed exploitation activity for CVE-2025-0282 beginning in mid-December. After analyzing compromised ICS instances, Mandiant found a connection to UNC5337, which was involved in earlier attacks against Ivanti products.

"Mandiant has previously only observed the deployment of the SPAWN ecosystem of malware on Ivanti Connect Secure appliances by UNC5337. UNC5337 is a China-nexus cluster of espionage activity including operations that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024 and most recently as Dec. 2024. This included the Jan 2024 exploitation of CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) to compromise Ivanti Connect Secure appliances," Mandiant wrote in the blog post.

Mandiant did not specifically attribute the zero-day attacks on CVE-2025-0282 to UNC5337. However, the company said the targeted deployment of Spawn malware on Ivanti Secure Connect appliances has been attributed to UNC5337.

Mandiant also assessed with "medium confidence" that UNC5337 is part of UNC5221, another China-nexus threat group that also exploited CVE-2023-46805 and CVE-2024-21887 last year. That activity included a breach of Mitre, a not-for-profit research and development organization that's responsible for the CVE vulnerability tracking system.

Mandiant's report added that the threat actor behind the CVE-2025-0282 exploitation used credential harvesting and was able to remove evidence of exploitation by clearing kernel messages, deleting troubleshooting information packages and manipulating log entries during attacks. The threat actor also used two techniques to maintain persistence across system upgrades on compromised ICS appliances.

One technique involved the use of "Phasejam," a malware dropper that Mandiant warned can maliciously modify ICS appliance components.

"The first technique, utilized by PHASEJAM, prevents legitimate ICS system upgrade attempts by administrators via rendering a fake HTML upgrade progress bar while silently blocking the legitimate upgrade process. Due to the blocked upgrade attempt, the technique would allow any installed backdoors or tools left by the threat actor to persist on the current running version of the VPN while giving the appearance of a successful upgrade," the blog post said.

Based on previous attacks against Ivanti products, Mandiant warned users to "be prepared for widespread, opportunistic exploitation." Mandiant also warned that threat actors will use web shells to maintain persistence for future access on compromised ICS instances.

"Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances," the blog post said.

While Ivanti recommended using its Integrity Checker Tool to identify exploitation, Mandiant observed the threat actor leveraging evasion techniques to bypass ICT detection. However, Mandiant provided screenshots to show users what a successful scan should look like.

"Ivanti recommends that customers should run the ICT in conjunction with other security monitoring tools which have detected post-exploitation activity," the blog post said.

Mandiant said it's been working closely with Ivanti, affected customers, government partners and security vendors to address the attack campaign. So far, Ivanti said exploitation has affected a "limited number of customers."

On Wednesday, CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog, giving federal agencies a deadline of Jan. 15 to address the flaw. The government agency also published an alert on Wednesday to highlight Ivanti's security advisory on CVE-2025-0282 and CVE-2025-0283, although exploitation was not observed for the latter flaw.

CISA warned users that exploitation of CVE-2025-0282 could let attackers take control of an affected system. Additionally, the agency recommended running the ICT and monitoring authentication or identity management services that could be exposed. If organizations discover compromised instances, CISA recommended disconnecting affected ICS instances, revoking keys and resetting passwords twice for on-premises accounts.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.