A China-linked advanced persistent threat (APT) group has exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organizations across 12 countries and 20 industries, cybersecurity firm TeamT5 revealed in a report shared with Cyber Security News.
The campaign, active since late March 2025, leverages the CVE-2025-0282 and CVE-2025-22457 vulnerabilities both stack-based buffer overflow flaws with maximum CVSS scores of 9.0—to deploy the SPAWNCHIMERA malware suite and establish persistent network access.
The attacks impacted entities in Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan, the UAE, the UK, and the U.S. Targeted industries span high-value sectors such as government agencies, financial institutions, telecommunications, law firms, and intergovernmental organizations, TeamT5 said.
The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.
Technical Analysis of the Exploitation Chain
The APT group, assessed by Mandiant as UNC5221 with ties to Chinese state interests, weaponized the Ivanti vulnerabilities to achieve unauthenticated remote code execution (RCE).
Once inside, attackers deployed SPAWNCHIMERA, a modular malware ecosystem designed explicitly for Ivanti appliances. Key components include:
- SPAWNANT: A stealthy installer that bypasses integrity checks.
- SPAWNMOLE: A SOCKS5 proxy for tunneling traffic.
- SPAWNSNAIL: An SSH backdoor for persistent access.
- SPAWNSLOTH: A log-wiping tool to erase forensic evidence.
The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied.
Security analysts at Rapid7 confirmed the vulnerabilities’ exploitability, noting that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponized for RCE.
Source: Cybersecurity News