Chinese threat actor UNC5337 has struck again, exploiting a new critical vulnerability in Ivanti Connect Secure (ICS) devices. This latest attack comes exactly one year after the group's previous exploitation of Ivanti systems.
The newly discovered vulnerability, tracked as CVE-2025-0282, allows attackers to execute malicious code with root privileges without requiring authentication. Rated 9.0 out of 10 on the Common Vulnerability Scoring System (CVSS), this flaw affects ICS, Policy Secure, and Neurons for Zero Trust Access (ZTA) gateways.
According to security researchers at Mandiant, UNC5337 began exploiting this vulnerability in mid-December, deploying their signature "Spawn" malware family. This includes tools like SpawnAnt for installation, SpawnMole for communication, SpawnSnail for SSH backdoors, and SpawnSloth for log manipulation.
Two additional pieces of malware were discovered on compromised systems: DryHook, designed to steal user credentials, and PhaseJam, which enables remote command execution while cleverly maintaining persistence by showing fake update screens to administrators.
The ShadowServer Foundation reports that over 2,000 ICS instances may be vulnerable, with the highest concentrations in the United States, France, and Spain.
Ivanti has released patches for ICS, with fixes for Policy Secure and ZTA gateways scheduled for January 21. The company recommends that customers run their Integrity Checker Tool (ICT) to detect potential compromises and apply patches immediately.
Arctic Wolf CISO Adam Marrè notes that while these attacks are frequent, they require sophisticated capabilities: "Just because we're seeing these often doesn't necessarily mean that they're easy to pull off — it's a highly sophisticated group that is doing this."
Security teams worldwide are now racing to assess their vulnerability status, implement patches, and investigate potential breaches, highlighting the ongoing challenges faced by cybersecurity defenders in responding to such critical threats.