Ivanti Zero-Day Malware: What You Need to Know

Key Points

Research suggests the Ivanti zero-day vulnerability, CVE-2025-0282, affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways, exploited since mid-December 2024 to deploy Resurge malware.
It seems likely that attackers, linked to a China-nexus group, use this flaw for unauthenticated remote code execution, with CISA urging patching by January 15, 2025, for federal agencies.
The evidence leans toward Resurge malware surviving reboots, complicating removal, with mitigation including patching to version 22.7R2.5 or later and running the Integrity Checker Tool.

Overview

A newly discovered zero-day vulnerability, known as CVE-2025-0282, has been found in Ivanti products like Connect Secure, Policy Secure, and ZTA Gateways. This flaw allows attackers to run code on your systems without needing to log in, which is a big deal for network security. Since mid-December 2024, research suggests attackers, possibly linked to a China-nexus group, have been exploiting this to install Resurge malware, a type that sticks around even after reboots.

Impact and Risks

This exploit is serious because it can lead to data theft, ransomware, and other attacks without you even knowing. The malware, Resurge, is particularly tricky as it can create backdoors and harvest credentials, making it hard to get rid of. CISA, a U.S. government agency, added this to their list of known exploited vulnerabilities and told federal agencies to patch by January 15, 2025, showing how urgent it is.

What You Can Do

To protect your network, it’s recommended to update your Ivanti products to version 22.7R2.5 or later as soon as possible. You should also run Ivanti’s Integrity Checker Tool to see if you’ve been compromised. If you find issues, you might need to reset your system and change all passwords, including admin ones. This isn’t just about patching; it’s about staying ahead of threats.

An Unexpected Detail

One thing you might not expect is how Resurge can mess with coreboot images, making it tougher to clean up than usual, which could mean more work to secure your systems fully.

Comprehensive Analysis of Ivanti Zero-Day Malware Vulnerability

This note provides a detailed examination of the Ivanti zero-day vulnerability, CVE-2025-0282, and its exploitation, offering a strict superset of the information in the direct answer for a thorough understanding. The analysis is grounded in recent reports from authoritative sources, including the Cybersecurity and Infrastructure Security Agency (CISA) and Ivanti, ensuring accuracy as of April 1, 2025.

Background and Vulnerability Description

The vulnerability, identified as CVE-2025-0282, is a stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This flaw allows unauthenticated remote attackers to execute code, potentially compromising entire networks. Ivanti disclosed this issue on January 8, 2025, following detection of exploitation in mid-December 2024, highlighting its severity with a CVSS score of 9.0. The affected versions include Ivanti Connect Secure before 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA gateways before 22.7R2.3, though exploitation has primarily been observed in Connect Secure appliances.

CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025, mandating federal agencies to patch by January 15, 2025, due to active exploitation. This catalog, part of Binding Operational Directive (BOD) 22-01, underscores the vulnerability’s significant risk to federal networks, with CISA urging all organizations to prioritize remediation.

Exploitation and Threat Actor Attribution

Exploitation began in mid-December 2024, with Mandiant attributing the activity to UNC5337, a China-nexus espionage group, now merged into UNC5221. This group has a history of targeting Ivanti products, notably exploiting previous zero-days like CVE-2023-46805 and CVE-2024-21887. The current exploitation involves chaining CVE-2025-0282 with other techniques to gain initial access, execute remote code, and implant malware, facilitating post-exploitation activities such as credential harvesting and lateral movement.

Shadowserver scans identified over 900 unpatched Ivanti Connect Secure instances as vulnerable by January 13, 2025, down from over 2,000 earlier, indicating ongoing efforts but also persistent exposure. The scale of unpatched systems suggests a widespread risk, particularly for organizations with internet-facing appliances.

Associated Malware: Resurge and Related Variants

A significant development is the deployment of Resurge malware, identified by CISA on March 28, 2025, exploiting CVE-2025-0282. Resurge, similar to the Spawn malware family (including SpawnChimera), exhibits advanced capabilities, including:

Surviving system reboots, ensuring persistence.
Creating web shells for ongoing access.
Manipulating integrity checks and coreboot images, complicating detection and removal.
Enabling credential harvesting, account creation, password resets, and permission escalation.

CISA’s malware analysis report, MAR-25993211.R1.V1.CLEAR, details Resurge’s behavior, noting its ability to copy web shells to the Ivanti running boot disk and manipulate coreboot images, which can undermine standard mitigation efforts. This persistence mechanism is particularly concerning, as it requires more than typical patching to evict, potentially necessitating factory resets and credential resets.

Mitigation and Patching Guidance

Ivanti released security updates addressing CVE-2025-0282, recommending upgrading to version 22.7R2.5 or later for Connect Secure, 22.7R1.2 for Policy Secure, and 22.7R2.3 for ZTA gateways. CISA’s mitigation instructions, updated on March 28, 2025, due to Resurge, include:

Applying the patch as described in Ivanti’s security advisory (Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways).
Running an external Integrity Checker Tool (ICT), with guidance at Enhanced External Integrity Checking Tool.
Conducting threat hunts on systems connected to or recently connected to affected devices.

If no compromise is found, organizations should:

Perform a factory reset, using an external clean image for Cloud and Virtual systems.
Monitor authentication and identity management services.
Audit privilege-level access accounts.

If compromise is detected, actions include:

Reporting immediately to CISA at Report@cisa.gov or (888) 282-0870, and to Ivanti.
Disconnecting affected products and isolating systems from enterprise resources.
Conducting a factory reset with an external clean image.
Revoking and reissuing certificates, keys, and passwords, including resetting the admin enable password, API keys, and local user passwords (e.g., Guest, HelpAssistant, DefaultAccount, System, Administrator, krbtgt, with krbtgt requiring two password resets due to history).
For compromised domain accounts, resetting passwords twice, revoking Kerberos tickets, cloud tokens, and disabling cloud-joined devices.

These steps align with CISA’s eviction guidance for networks affected by similar compromises, such as SolarWinds, ensuring comprehensive recovery.

Impact and Risk Assessment

The impact is significant, with potential downstream compromise of victim networks, as noted by Mandiant. The exploitation’s nexus to nation-state actors, particularly China-linked groups, raises concerns about espionage and data exfiltration. The persistence of unpatched instances, as reported by Shadowserver, and the advanced capabilities of Resurge malware, such as coreboot manipulation, highlight the challenge of containment. Organizations, especially those with internet-facing Ivanti appliances, face heightened risks, with CISA urging immediate action to mitigate exposure.

Additional Context and Historical Perspective

This is not Ivanti’s first encounter with zero-day exploits. Previous vulnerabilities, such as CVE-2023-46805 and CVE-2024-21887, were exploited for months, impacting multiple organizations, including CISA itself, though no data theft was reported in those cases. The recurrence underscores Ivanti products as popular targets for threat actors, with a pattern of chaining vulnerabilities for maximum impact. The current exploitation, occurring almost exactly a year after prior incidents, suggests a sustained threat landscape, necessitating robust patching and monitoring practices.

Detection Resources and Reporting

For detection, CISA provides YARA rules in MAR-25993211.R1.V1.CLEAR and a SIGMA rule (AR25-087A SIGMA YAML) at /sites/default/files/2025-03/AR25-087A%20SIGMA%20YAML.pdf. Organizations are encouraged to report incidents to CISA’s 24/7 Operations Center, with malware submissions possible via Malware Nextgen at https://malware.cisa.gov. This reporting is crucial for tracking and responding to the evolving threat.

Summary Table: Key Mitigation Steps

Action	Details
Patch Application	Upgrade to Ivanti Connect Secure 22.7R2.5, Policy Secure 22.7R1.2, ZTA Gateways 22.7R2.3
Integrity Check	Run external ICT, see Enhanced External Integrity Checking Tool
Threat Hunting	Hunt on connected/recently connected systems
No Compromise	Factory reset (use external clean image for Cloud/Virtual), monitor auth services, audit access
Compromise Detected	Report to CISA (Report@cisa.gov or (888) 282-0870), disconnect, reset, isolate, revoke credentials

Conclusion

The Ivanti zero-day vulnerability, CVE-2025-0282, represents a critical threat, actively exploited since mid-December 2024, with significant implications due to Resurge malware’s persistence. Organizations must act swiftly, applying patches, conducting hunts, and, if necessary, performing comprehensive resets. This incident underscores the importance of timely patching and robust threat detection in the face of evolving nation-state threats.