CVE-2025-0282: Ivanti Connect Secure Stack Overflow Zero-Day RCE
The third Ivanti Connect Secure zero-day in 13 months, an unauthenticated stack overflow enabling pre-authentication RCE, exploited by the same Chinese APT responsible for the 2024 ArcaneDoor campaign, with CISA ordering federal disconnection within 48 hours

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2025-0282 is a critical pre-authentication stack-based buffer overflow in Ivanti Connect Secure, the third zero-day in the platform in 13 months, disclosed January 8, 2025. The flaw allows an unauthenticated attacker to execute arbitrary code on the VPN gateway with root-level privileges. Mandiant confirmed active exploitation by UNC5337 (a Chinese state-sponsored cluster linked to the 2024 Ivanti campaign actor UNC5221) beginning mid-December 2024, deploying updated versions of the SPAWN malware ecosystem including a new persistence framework designed to survive factory resets.
Technical Details: Stack Overflow in the Web Component
CVE-2025-0282 is a classic stack-based buffer overflow (CWE-121) in the web component of Ivanti Connect Secure, the same network-facing service that processes VPN authentication and management traffic. An attacker sends a specifically crafted request to the web interface that causes the component to write beyond the bounds of a stack-allocated buffer, overwriting the return address and enabling control of the instruction pointer.
Because this code path is reachable without authentication, it is processed before any credential validation occurs, the attack requires only network access to the HTTPS interface of the Connect Secure appliance. This is typically port 443, which is intentionally internet-exposed for VPN client access.
UNC5337 and the SPAWN Malware Ecosystem
Mandiant's investigation of CVE-2025-0282 exploitation identified UNC5337 deploying an updated version of the SPAWN malware family, a modular persistence framework first observed in the January 2024 Ivanti campaign:
SPAWNANT: An installer that plants the SPAWN components and configures persistence mechanisms that survive factory resets by writing to the appliance's Trusted Platform Module (TPM) storage or equivalent persistent partitions.
SPAWNMOLE: A tunneler enabling persistent covert network access from the compromised appliance.
SPAWNSNAIL: An SSH backdoor providing authenticated access to the appliance's underlying operating system.
DRYHOOK and PHASEJAM (new in 2025): Additional credential harvesting and persistence components specific to the CVE-2025-0282 campaign, not previously observed in the 2024 SPAWN deployments.
The engineering of SPAWNANT to survive factory resets, the standard remediation recommendation, represents a significant escalation in persistence sophistication over the 2024 campaign.
Unauthenticated Stack Overflow via Web Interface
Attacker sends crafted HTTPS request to Ivanti Connect Secure's internet-facing port 443. The stack overflow in the web component triggers controlled code execution without any authentication.
PHASEJAM Webshell Deployed
Initial persistence established via PHASEJAM, a webshell installer that modifies the Ivanti Connect Secure upgrade and health-check scripts to maintain persistence across standard upgrade procedures.
SPAWN Ecosystem Installed
SPAWNANT deploys SPAWNMOLE (tunneler), SPAWNSNAIL (SSH backdoor), and DRYHOOK (credential harvester) to establish multi-layered persistence including mechanisms designed to survive factory resets.
VPN Credential Harvesting
DRYHOOK intercepts authentication events on the compromised gateway, harvesting VPN credentials for all users authenticating through the device.
Covert Long-Term Access
SPAWNMOLE tunneler enables covert network access into the organization's internal network via the compromised VPN gateway, supporting long-term espionage without detectable authentication events.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detection
Detection for CVE-2025-0282 exploitation requires device-level inspection beyond standard network monitoring:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Critical note: standard patching and factory reset may be insufficient for compromised devices.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2025-0282 is the third pre-authentication zero-day in Ivanti Connect Secure in 13 months, all attributed to the same Chinese APT cluster. The SPAWN malware ecosystem's evolution, now capable of surviving factory resets, demonstrates an actor that has studied and countered every standard remediation step. This pattern has shifted the Ivanti Connect Secure risk calculus: the question is not whether your device has been targeted, but whether your remediation was thorough enough to evict a persistence framework specifically engineered to survive it. Organizations that cannot achieve full confidence in appliance integrity should evaluate replacing rather than remediating.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2025-0282?
CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure's web component that allows an unauthenticated remote attacker to achieve remote code execution on the VPN gateway appliance. It was exploited as a zero-day by UNC5337, a Chinese state-sponsored threat actor, beginning in mid-December 2024 before Ivanti's January 2025 disclosure.
Is CVE-2025-0282 related to the 2024 Ivanti zero-days (CVE-2023-46805 / CVE-2024-21887)?
CVE-2025-0282 is a separate vulnerability from the January 2024 Ivanti zero-day chain ([CVE-2023-46805](https://nvd.nist.gov/vuln/detail/CVE-2023-46805) + [CVE-2024-21887](https://nvd.nist.gov/vuln/detail/CVE-2024-21887)). However, the same Chinese APT cluster (Mandiant tracks UNC5337, linked to UNC5221 from the 2024 campaign) is responsible for exploiting both. The recurrence indicates sustained offensive investment in Ivanti Connect Secure research.
Does CVE-2025-0282 affect Ivanti VPN clients?
No. CVE-2025-0282 is a server-side vulnerability in the Ivanti Connect Secure gateway appliance. VPN client software running on endpoints is not affected. However, users who authenticated through a compromised gateway should be considered potentially exposed to credential harvesting.
Is a factory reset required, or is patching sufficient?
For devices that were internet-facing before patching, Ivanti and CISA recommend running the Ivanti Integrity Checker Tool (ICT) and, if any indicators are found, performing a factory reset before applying the patch. Applying the patch alone does not evict a threat actor who has already established persistence on the device.
What is PHASEJAM and how does it differ from SPAWNANT in persistence mechanism?
PHASEJAM and SPAWNANT are two distinct persistence components of the malware ecosystem deployed in the CVE-2025-0282 campaign. PHASEJAM is a webshell installer that achieves persistence by modifying Ivanti Connect Secure's upgrade and health-check scripts. Because it hooks the upgrade process itself, PHASEJAM persists across standard SFOS firmware upgrades, it reinfects the upgraded firmware when the device upgrades. SPAWNANT targets a lower-level persistence location: the device's persistent shared memory or equivalent storage region that survives even factory resets. SPAWNANT is the more sophisticated component, requiring deep knowledge of Ivanti Connect Secure's hardware and firmware architecture. Together they provide layered persistence that survives both upgrade-based and factory-reset remediation attempts.
Why has Ivanti Connect Secure been exploited by Chinese APTs three times in 13 months?
Ivanti Connect Secure is an internet-facing VPN gateway with a large installed base across US federal agencies, NATO member governments, and critical infrastructure operators, making it a high-priority intelligence collection target. From the attacker's perspective, compromising the VPN gateway provides: credential harvesting for all VPN users, persistent access into internal networks via the gateway's privileged network position, and a target that typically receives less security monitoring than endpoints and servers. The recurrence of zero-days from the same actor cluster indicates sustained offensive investment, the group maintains an ongoing vulnerability research program specifically targeting Ivanti Connect Secure because the access it provides justifies that investment.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
