Ivanti VPN Zero-Day Exploits Target Corporate Networks with Sophisticated Malware

Hackers exploit critical vulnerabilities in Ivanti Connect Secure VPNs to deploy advanced malware, prompting urgent patching and security measures.

A critical vulnerability (CVE-2025-0282) in Ivanti Connect Secure VPNs allows unauthenticated remote code execution and has been actively exploited since December 2024.
Hackers have deployed previously unseen malware families, including 'Dryhook' and 'Phasejam,' as well as the 'Spawn' malware toolkit, to compromise devices and evade detection.
The attackers, suspected to be China-linked espionage groups (UNC5337 and UNC5221), aim to steal sensitive data such as session cookies, credentials, and certificates from compromised networks.
Ivanti has released a patch for Connect Secure VPNs (version 22.7R2.5) and recommends a factory reset before upgrading, while patches for other affected products will not be available until January 21, 2025.
Security experts warn of the potential for widespread exploitation and urge organizations to prioritize patching, monitor for indicators of compromise, and implement additional security measures immediately.