Chinese spies targeting new Ivanti vulnerability, Mandiant says

A newly publicized vulnerability in popular products from tech company Ivanti is being exploited by China-based espionage threat actors, according to Google-owned cybersecurity firm Mandiant.

Mandiant published a blog post detailing its examination of CVE-2025-0282 — a vulnerability Ivanti announced on Wednesday that affects the company’s popular Connect Secure VPN appliance. 

On Wednesday night, the leading U.S. cybersecurity agency ordered all federal civilian agencies to patch the vulnerability by January 15 — the shortest time frame it has ever issued since creating its Known Exploited Vulnerabilities Catalog.

Experts at Mandiant attributed exploitation of the bug to China-based hackers because the malware seen in attacks has only ever been used by Chinese campaigns exploiting Ivanti Connect Secure appliances. 

Mandiant incident responders first saw exploitation of CVE-2025-0282 in the middle of December and are currently analyzing multiple compromised Ivanti Connect Secure appliances from multiple organizations.

While they have not tied all of the activity to one threat actor, one of the deployed malware families — which Mandiant names SPAWN — was only previously spotted during the compromise of Ivanti Connect Secure VPN appliances exactly one year ago by actors exploiting bugs tracked as CVE-2023-46805 and CVE-2024-21887. 

The hackers that exploited those vulnerabilities as early as December 2023 are part of a group Mandiant called UNC5221. 

“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,” Wednesday’s blog post said. “Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.”

Another cybersecurity firm, Volexity, previously attributed attacks involving CVE-2023-46805 and CVE-2024-21887 to Chinese nation-state-level threat actors. 

Since 2020, the Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations repeatedly of state-backed hackers linked to China exploiting vulnerabilities in Ivanti products.

In April 2021, CISA warned that hackers breached the systems of a number of U.S. government agencies, critical infrastructure entities and other private sector organizations. Mandiant attributed the activity to hackers operating on behalf of the Chinese government.

The revelations come as U.S. officials contend with multiple China-focused hacking scandals. Treasury Secretary Janet Yellen said on Monday that she spoke directly with Chinese Vice Premier He Lifeng about the recent cyberattack on her office and the Office of Foreign Assets Control (OFAC). 

Bloomberg reported on Thursday that the attack on the Treasury Department was perpetrated by Chinese hackers that are part of the Silk Typhoon group. 

In addition to the Treasury Department incident, Biden administration officials are planning an array of executive orders and investigations designed to address the Salt Typhoon attacks that saw Chinese hackers break into nine major telecommunication giants and steal sensitive information on incoming President Donald Trump and other officials in his circle. 

Ivanti’s own tool

Mandiant’s investigation into attacks targeting CVE-2025-0282 also found several previously unobserved malware families named DRYHOOK and PHASEJAM that are currently not yet linked to a known group. 

Ivanti and several of its customers affected by the cyberattacks were able to identify compromises by using the company’s Integrity Checker Tool alongside other commercial security monitoring tools. 

“Ivanti’s Integrity Checker Tool (ICT) has been effective in identifying compromise related to this vulnerability,” a spokesperson for Ivanti told Recorded Future News on Thursday. 

“Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix. We strongly advise customers to closely monitor their internal and external ICT as part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.”

But Mandiant noted that in its investigations, the hackers attempted to circumvent the ICT scanner through a variety of tactics and tried to prevent legitimate attempts to upgrade devices. 

“Due to the blocked upgrade attempt, the technique would allow any installed backdoors or tools left by the threat actor to persist on the current running version of the VPN while giving the appearance of a successful upgrade,” Mandiant said, providing screenshots of what a successful ICT scan should look like versus an unsuccessful one on a compromised device. 

Ivanti notes in its own blog that the ICT is only a snapshot of the appliance and “cannot necessarily detect threat actor activity if they have returned the appliance to a clean state.” The ICT also does not scan for malware.

Mandiant said it saw the hackers trying to steal databases that may contain VPN sessions, session cookies, API keys, certificates, and credential material.