Mandiant: Latest Ivanti vulns exploited by Chinese cyber spooks

Security supplier Ivanti is facing a series of breaches as two newly disclosed vulnerabilities in its products are being exploited by China-backed threat actors.

The vulnerabilities, known as CVE-2025-0282 and CVE-2025-0283, impact Ivanti’s Connect Secure, Policy Secure, and Neurons for ZTA gateway products. CVE-2025-0282 allows unauthenticated remote code execution (RCE), while CVE-2025-0283 enables a locally authenticated attacker to escalate their privileges.

CVE-2025-0282 is a zero-day vulnerability and has been added to CISA’s Known Exploited Vulnerabilities catalogue. The NCSC in the UK is investigating cases of active exploitation affecting UK networks.

A limited number of users of Connect Secure appliances have been affected by CVE-2025-0282, but no users of Policy Secure or ZTA gateways have been impacted. A patch is available for CVE-2025-0282 in Connect Secure, but patches for Policy Secure and Neurons for ZTA are expected by 21 January.

Ivanti is working closely with affected customers, security partners, and law enforcement agencies to respond to the threat. They advise customers to monitor their ICT closely and implement the patch as soon as possible.

According to Google Cloud’s Mandiant, threat actors have used the vulnerabilities to deploy SPAWN malware, including SPAWNMOLE and SPAWNSNAIL. This activity has been linked to the UNC5337 threat activity cluster associated with UNC5221, a suspected China-nexus espionage group.

Mandiant’s CTO warned that threat actors may use techniques to trick administrators into thinking they have successfully upgraded systems. Users are urged to apply patches immediately, despite potential risks.

WatchTowr CEO Benjamin Harris emphasized the seriousness of the situation and advised users to pay close attention to developments. He urged users of affected appliances to pull them offline until patches are available.