CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2025-0282: Ivanti Connect Secure Stack Overflow Zero-Day RCE

The third Ivanti Connect Secure zero-day in 13 months, an unauthenticated stack overflow enabling pre-authentication RCE, exploited by the same Chinese APT responsible for the 2024 ArcaneDoor campaign, with CISA ordering federal disconnection within 48 hours

9.0
CVSS Score
Dec 2024
First exploitation observed
Pre-auth
Authentication required
3rd
Ivanti CS zero-day in 13 months

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2025-0282 is a critical pre-authentication stack-based buffer overflow in Ivanti Connect Secure, the third zero-day in the platform in 13 months, disclosed January 8, 2025. The flaw allows an unauthenticated attacker to execute arbitrary code on the VPN gateway with root-level privileges. Mandiant confirmed active exploitation by UNC5337 (a Chinese state-sponsored cluster linked to the 2024 Ivanti campaign actor UNC5221) beginning mid-December 2024, deploying updated versions of the SPAWN malware ecosystem including a new persistence framework designed to survive factory resets.

Technical Details: Stack Overflow in the Web Component

CVE-2025-0282 is a classic stack-based buffer overflow (CWE-121) in the web component of Ivanti Connect Secure, the same network-facing service that processes VPN authentication and management traffic. An attacker sends a specifically crafted request to the web interface that causes the component to write beyond the bounds of a stack-allocated buffer, overwriting the return address and enabling control of the instruction pointer.

Because this code path is reachable without authentication, it is processed before any credential validation occurs, the attack requires only network access to the HTTPS interface of the Connect Secure appliance. This is typically port 443, which is intentionally internet-exposed for VPN client access.

UNC5337 and the SPAWN Malware Ecosystem

Mandiant's investigation of CVE-2025-0282 exploitation identified UNC5337 deploying an updated version of the SPAWN malware family, a modular persistence framework first observed in the January 2024 Ivanti campaign:

SPAWNANT: An installer that plants the SPAWN components and configures persistence mechanisms that survive factory resets by writing to the appliance's Trusted Platform Module (TPM) storage or equivalent persistent partitions.

SPAWNMOLE: A tunneler enabling persistent covert network access from the compromised appliance.

SPAWNSNAIL: An SSH backdoor providing authenticated access to the appliance's underlying operating system.

DRYHOOK and PHASEJAM (new in 2025): Additional credential harvesting and persistence components specific to the CVE-2025-0282 campaign, not previously observed in the 2024 SPAWN deployments.

The engineering of SPAWNANT to survive factory resets, the standard remediation recommendation, represents a significant escalation in persistence sophistication over the 2024 campaign.

1

Unauthenticated Stack Overflow via Web Interface

Attacker sends crafted HTTPS request to Ivanti Connect Secure's internet-facing port 443. The stack overflow in the web component triggers controlled code execution without any authentication.

2

PHASEJAM Webshell Deployed

Initial persistence established via PHASEJAM, a webshell installer that modifies the Ivanti Connect Secure upgrade and health-check scripts to maintain persistence across standard upgrade procedures.

3

SPAWN Ecosystem Installed

SPAWNANT deploys SPAWNMOLE (tunneler), SPAWNSNAIL (SSH backdoor), and DRYHOOK (credential harvester) to establish multi-layered persistence including mechanisms designed to survive factory resets.

4

VPN Credential Harvesting

DRYHOOK intercepts authentication events on the compromised gateway, harvesting VPN credentials for all users authenticating through the device.

5

Covert Long-Term Access

SPAWNMOLE tunneler enables covert network access into the organization's internal network via the compromised VPN gateway, supporting long-term espionage without detectable authentication events.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Detection

Detection for CVE-2025-0282 exploitation requires device-level inspection beyond standard network monitoring:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Critical note: standard patching and factory reset may be insufficient for compromised devices.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2025-0282 is the third pre-authentication zero-day in Ivanti Connect Secure in 13 months, all attributed to the same Chinese APT cluster. The SPAWN malware ecosystem's evolution, now capable of surviving factory resets, demonstrates an actor that has studied and countered every standard remediation step. This pattern has shifted the Ivanti Connect Secure risk calculus: the question is not whether your device has been targeted, but whether your remediation was thorough enough to evict a persistence framework specifically engineered to survive it. Organizations that cannot achieve full confidence in appliance integrity should evaluate replacing rather than remediating.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2025-0282?

CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure's web component that allows an unauthenticated remote attacker to achieve remote code execution on the VPN gateway appliance. It was exploited as a zero-day by UNC5337, a Chinese state-sponsored threat actor, beginning in mid-December 2024 before Ivanti's January 2025 disclosure.

Is CVE-2025-0282 related to the 2024 Ivanti zero-days (CVE-2023-46805 / CVE-2024-21887)?

CVE-2025-0282 is a separate vulnerability from the January 2024 Ivanti zero-day chain ([CVE-2023-46805](https://nvd.nist.gov/vuln/detail/CVE-2023-46805) + [CVE-2024-21887](https://nvd.nist.gov/vuln/detail/CVE-2024-21887)). However, the same Chinese APT cluster (Mandiant tracks UNC5337, linked to UNC5221 from the 2024 campaign) is responsible for exploiting both. The recurrence indicates sustained offensive investment in Ivanti Connect Secure research.

Does CVE-2025-0282 affect Ivanti VPN clients?

No. CVE-2025-0282 is a server-side vulnerability in the Ivanti Connect Secure gateway appliance. VPN client software running on endpoints is not affected. However, users who authenticated through a compromised gateway should be considered potentially exposed to credential harvesting.

Is a factory reset required, or is patching sufficient?

For devices that were internet-facing before patching, Ivanti and CISA recommend running the Ivanti Integrity Checker Tool (ICT) and, if any indicators are found, performing a factory reset before applying the patch. Applying the patch alone does not evict a threat actor who has already established persistence on the device.

What is PHASEJAM and how does it differ from SPAWNANT in persistence mechanism?

PHASEJAM and SPAWNANT are two distinct persistence components of the malware ecosystem deployed in the CVE-2025-0282 campaign. PHASEJAM is a webshell installer that achieves persistence by modifying Ivanti Connect Secure's upgrade and health-check scripts. Because it hooks the upgrade process itself, PHASEJAM persists across standard SFOS firmware upgrades, it reinfects the upgraded firmware when the device upgrades. SPAWNANT targets a lower-level persistence location: the device's persistent shared memory or equivalent storage region that survives even factory resets. SPAWNANT is the more sophisticated component, requiring deep knowledge of Ivanti Connect Secure's hardware and firmware architecture. Together they provide layered persistence that survives both upgrade-based and factory-reset remediation attempts.

Why has Ivanti Connect Secure been exploited by Chinese APTs three times in 13 months?

Ivanti Connect Secure is an internet-facing VPN gateway with a large installed base across US federal agencies, NATO member governments, and critical infrastructure operators, making it a high-priority intelligence collection target. From the attacker's perspective, compromising the VPN gateway provides: credential harvesting for all VPN users, persistent access into internal networks via the gateway's privileged network position, and a target that typically receives less security monitoring than endpoints and servers. The recurrence of zero-days from the same actor cluster indicates sustained offensive investment, the group maintains an ongoing vulnerability research program specifically targeting Ivanti Connect Secure because the access it provides justifies that investment.

Sources & references

  1. Ivanti Security Advisory, CVE-2025-0282
  2. Mandiant, Active Exploitation of CVE-2025-0282
  3. CISA Known Exploited Vulnerabilities Catalog
  4. NVD, CVE-2025-0282

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.