Tuesday, May 13, 2025
Homecyber securityHackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

Published on

SIEM as a Service

Follow Us on Google News

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability in Ivanti Connect Secure (ICS) appliances, tracked as CVE-2025-0282.

This zero-day vulnerability, a stack-based buffer overflow with a CVSS score of 9.0, has been leveraged by attackers to deploy the advanced SPAWNCHIMERA malware.

The flaw permits unauthenticated remote code execution, enabling attackers to infiltrate networks and compromise critical systems.

- Advertisement - Google News

Malware Deployment

Ivanti disclosed the vulnerability in January 2025, but evidence indicates that exploitation began as early as December 2024.

The SPAWNCHIMERA malware, an evolution of the SPAWN malware family, was observed being deployed post-exploitation.

SPAWNCHIMERA malware
SPAWNCHIMERA operational flow

This sophisticated malware integrates enhanced features from its predecessors SPAWNANT, SPAWNMOLE, and SPAWNSNAIL making it more resilient and harder to detect.

Key updates in SPAWNCHIMERA include:

  • Inter-process communication via UNIX domain sockets: This change obfuscates malicious traffic and evades traditional detection tools.
  • Dynamic patching of CVE-2025-0282: The malware hooks into the vulnerable strncpy function to mitigate further exploitation by other attackers.
  • Enhanced obfuscation: Critical components, such as private keys and traffic decoding mechanisms, are now encrypted or dynamically decoded during runtime.
  • Debugging resistance: Debug messages have been stripped from the malware codebase to complicate forensic analysis.

The exploitation of CVE-2025-0282 has affected multiple organizations globally, with Shadowserver scans detecting hundreds of compromised ICS devices.

The deployment of SPAWNCHIMERA underscores the increasing sophistication of cyberattacks targeting network edge devices like VPN appliances.

According to the JPCERT, Ivanti has released patches for ICS (version 22.7R2.5) to address this critical vulnerability.

However, remediation efforts have been slow, with thousands of devices still exposed as of early February 2025.

Organizations are urged to:

  1. Apply the latest security updates immediately.
  2. Use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise.
  3. Conduct factory resets on compromised devices before redeployment.

Broader Threat Landscape

The SPAWNCHIMERA campaign highlights the persistent risks posed by unpatched vulnerabilities in widely used enterprise systems.

Attackers leveraging such flaws can gain unauthorized access to sensitive data, escalate privileges, and establish long-term persistence within networks.

Experts warn that network edge devices remain high-value targets for state-sponsored actors and cybercriminals alike.

Organizations must prioritize robust patch management and adopt proactive monitoring solutions to mitigate these evolving threats effectively.

This incident serves as a stark reminder for enterprises to remain vigilant against zero-day exploits and invest in comprehensive cybersecurity defenses to safeguard their infrastructure against advanced persistent threats like SPAWNCHIMERA.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...