Chinese Cyberespionage Group Exploits Critical Remote Code Execution Vulnerability

Background

Researchers from Google’s Mandiant division have discovered that a critical remote code execution vulnerability, patched on Wednesday by software vendor Ivanti, has been exploited since mid-December by a Chinese cyberespionage group. This group has a history of exploiting zero-day vulnerabilities in Ivanti Connect Secure appliances, dating back to January 2024.

The Latest Attacks

The latest attacks, exploiting the new CVE-2025-0282 flaw, involved the deployment of multiple malware components from a toolkit dubbed SPAWN. Mandiant attributes this activity to a cluster of activity tracked as UNC5337, which is suspected to be related to another group tracked as UNC5221.

UNC5221: A Suspected China-Nexus Espionage Actor

UNC5221 is a suspected China-nexus espionage actor that has exploited vulnerabilities in Ivanti Connect Secure VPN and Ivanti Policy Security appliances as early as December 2023. Mandiant previously observed UNC5221 leveraging a likely ORB network of compromised Cyberoam appliances to enable intrusion operations.

The SPAWN Family of Malware Tools

The SPAWN family of custom malware tools includes the SPAWNANT installer, SPAWNMOLE tunneler, the SPAWNSNAIL SSH backdoor, and the SPAWNSLOTH log tampering utility. In addition to these known tools, the latest attacks also involved never-before-seen components, including a credential harvester dubbed DRYHOOK and a malware dropper called PHASEJAM.

Malware Prevents Legitimate Upgrades

In its security advisory, Ivanti directed customers to perform a factory reset on appliances before deploying the patched 22.7R2.5 version. Mandiant’s analysis suggests that this is because of the PHASEJAM dropper, which modifies multiple legitimate Connect Secure components, including the one responsible for system upgrades. PHASEJAM blocks and simulates upgrades in a visually convincing way, even displaying the new version number at the end of the process.

Conclusion

The exploitation of the CVE-2025-0282 flaw by a Chinese cyberespionage group highlights the importance of timely patching and security measures to prevent attacks. The use of custom malware tools and the ability to modify legitimate components to prevent upgrades demonstrate the sophistication and persistence of these attackers.

FAQs

Q: What is the CVE-2025-0282 flaw?

A: The CVE-2025-0282 flaw is a critical remote code execution vulnerability patched by Ivanti on Wednesday.

Q: Who is responsible for the exploitation of this flaw?

A: Researchers from Google’s Mandiant division believe that a Chinese cyberespionage group, tracked as UNC5337 and suspected to be related to UNC5221, is responsible for the exploitation of this flaw.

Q: What is the SPAWN family of malware tools?

A: The SPAWN family of custom malware tools includes the SPAWNANT installer, SPAWNMOLE tunneler, the SPAWNSNAIL SSH backdoor, and the SPAWNSLOTH log tampering utility, among others.

Q: Why did Ivanti recommend a factory reset on appliances before deploying the patched version?

A: Ivanti recommended a factory reset on appliances because of the PHASEJAM dropper, which modifies legitimate Connect Secure components to prevent upgrades.

Q: What can organizations do to prevent similar attacks?

A: Organizations can take steps to prevent similar attacks by ensuring timely patching, implementing robust security measures, and monitoring for suspicious activity.