Google Cloud’s Mandiant has linked the exploitation of a newly patched Ivanti VPN zero-day vulnerability to Chinese cyberspies.

Ivanti alerted customers on Wednesday that two vulnerabilities, tracked as CVE-2025-0282 and CVE-2025-0283, have been patched in its Connect Secure (ICS) VPN appliances. 

CVE-2025-0282, a critical stack-based buffer overflow that allows unauthenticated remote attackers to execute arbitrary code, has been exploited in the wild against a limited number of customers, Ivanti warned, without sharing any details on these attacks, except to say that compromise was identified using the company’s Integrity Checker Tool (ICT) and commercial security monitoring tools.

However, Mandiant, which has been working with Ivanti on investigating the attacks, revealed that exploitation has been linked to Chinese threat actors. Mandiant started seeing exploitation of CVE-2025-0282 in mid-December 2024.

Mandiant said it’s currently unable to attribute the exploitation of CVE-2025-0282 to a specific threat actor. However, the company noticed that the attackers deployed a malware family tracked as Spawn, which was previously attributed to a China-tied espionage group tracked as UNC5337.

The Spawn malware family includes the SpawnAnt installer, the SpawnMole tunneler, and an SSH backdoor named SpawnSnail. 

Mandiant believes — with medium confidence — that UNC5337 is part of UNC5221, a threat group that was previously observed exploiting Ivanti product vulnerabilities such as CVE-2023-46805 and CVE-2024-21887. Victims of those attacks included MITRE and CISA. 

In the attacks involving the exploitation of CVE-2025-0282, the new Ivanti ICS zero-day, Mandiant also saw previously unknown malware families, which have been named DryHook and PhaseJam. These pieces of malware have yet to be linked to a known threat group.

“It is possible that multiple actors are responsible for the creation and deployment of these various code families (i.e. Spawn, DryHook and PhaseJam), but as of publishing this report, we don’t have enough data to accurately assess the number of threat actors targeting CVE-2025-0282,” Mandiant explained. 

In the attacks observed by Mandiant, the hackers first sent requests to the targeted appliance in an effort to determine their software version as exploitation is version specific. They then exploited CVE-2025-0282, disabled SELinux, made configuration changes, executed scripts, and deployed web shells in preparation for deploying malware.

The PhaseJam malware is a dropper designed to modify Ivanti Connect Secure components, deploying web shells, and overwriting executables to facilitate arbitrary command execution. The malware, which helps the attackers establish an initial foothold, enables them to execute commands, upload files to the appliance, and exfiltrate data. 

The DryHook malware has been used by the attackers in the post-exploitation phase of the attack to steal credentials. 

In an effort to persist across system upgrades, the attackers leveraged the SpawnAnt malware, which copies itself and its components to a special upgrade partition. In addition, the PhaseJam malware blocks system upgrades, but displays a fake upgrade progress bar to avoid raising suspicion.

Mandiant has warned that CVE-2025-0282 will likely be exploited by additional threat actors if proof-of-concept (PoC) exploits are created and made public. 

CISA on Wednesday added the Ivanti Connect Secure zero-day to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address the security hole by January 15. 

It’s worth noting that Ivanti has released patches for Connect Secure, but Policy Secure and  Neurons for ZTA gateways are also impacted and they are only set to receive patches on January 21. 

Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks

Related: Third Recent Ivanti Vulnerability Exploited in the Wild

Related: Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases