Source: The Hacker News Author: [email protected] (The Hacker News) URL: https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html

ONE SENTENCE SUMMARY:

A critical security flaw in Ivanti products has been actively exploited, leading to unauthenticated remote code execution.

MAIN POINTS:

1. Ivanti Connect Secure, Policy Secure, and ZTA Gateways are affected by CVE-2025-0282.
2. CVE-2025-0282 has a CVSS score of 9.0, indicating critical severity.
3. Successful exploitation allows unauthenticated remote code execution vulnerabilities.
4. Mandiant linked attacks to the SPAWN malware ecosystem and China-nexus group UNC5337.
5. PHASEJAM modifies Ivanti components and blocks system upgrades covertly.
6. Attackers executed multiple steps to disable SELinux and install malware.
7. Evidence suggests sophisticated threat actor techniques, including log entry removal.
8. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog.
9. Users urged to apply patches by January 15, 2025, due to active exploitation.
10. Internal reconnaissance and credential harvesting are among the post-exploitation activities.

TAKEAWAYS:

1. Prompt patching is necessary to mitigate critical vulnerabilities in Ivanti products.
2. Awareness of emerging malware threats can help organizations bolster cybersecurity defenses.
3. Continuous monitoring and incident reporting can identify and mitigate exploitation signs.
4. Organizations must recognize the methods used by sophisticated threat actors.
5. Collaboration with cybersecurity agencies can enhance threat intelligence sharing and response.