Friday, March 14, 2025
Homecyber securityHackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

Published on

SIEM as a Service

Follow Us on Google News

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability in Ivanti Connect Secure (ICS) appliances, tracked as CVE-2025-0282.

This zero-day vulnerability, a stack-based buffer overflow with a CVSS score of 9.0, has been leveraged by attackers to deploy the advanced SPAWNCHIMERA malware.

The flaw permits unauthenticated remote code execution, enabling attackers to infiltrate networks and compromise critical systems.

Malware Deployment

Ivanti disclosed the vulnerability in January 2025, but evidence indicates that exploitation began as early as December 2024.

The SPAWNCHIMERA malware, an evolution of the SPAWN malware family, was observed being deployed post-exploitation.

SPAWNCHIMERA malware
SPAWNCHIMERA operational flow

This sophisticated malware integrates enhanced features from its predecessors SPAWNANT, SPAWNMOLE, and SPAWNSNAIL making it more resilient and harder to detect.

Key updates in SPAWNCHIMERA include:

  • Inter-process communication via UNIX domain sockets: This change obfuscates malicious traffic and evades traditional detection tools.
  • Dynamic patching of CVE-2025-0282: The malware hooks into the vulnerable strncpy function to mitigate further exploitation by other attackers.
  • Enhanced obfuscation: Critical components, such as private keys and traffic decoding mechanisms, are now encrypted or dynamically decoded during runtime.
  • Debugging resistance: Debug messages have been stripped from the malware codebase to complicate forensic analysis.

The exploitation of CVE-2025-0282 has affected multiple organizations globally, with Shadowserver scans detecting hundreds of compromised ICS devices.

The deployment of SPAWNCHIMERA underscores the increasing sophistication of cyberattacks targeting network edge devices like VPN appliances.

According to the JPCERT, Ivanti has released patches for ICS (version 22.7R2.5) to address this critical vulnerability.

However, remediation efforts have been slow, with thousands of devices still exposed as of early February 2025.

Organizations are urged to:

  1. Apply the latest security updates immediately.
  2. Use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise.
  3. Conduct factory resets on compromised devices before redeployment.

Broader Threat Landscape

The SPAWNCHIMERA campaign highlights the persistent risks posed by unpatched vulnerabilities in widely used enterprise systems.

Attackers leveraging such flaws can gain unauthorized access to sensitive data, escalate privileges, and establish long-term persistence within networks.

Experts warn that network edge devices remain high-value targets for state-sponsored actors and cybercriminals alike.

Organizations must prioritize robust patch management and adopt proactive monitoring solutions to mitigate these evolving threats effectively.

This incident serves as a stark reminder for enterprises to remain vigilant against zero-day exploits and invest in comprehensive cybersecurity defenses to safeguard their infrastructure against advanced persistent threats like SPAWNCHIMERA.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploiting Exposed Jupyter Notebooks to Deploy Cryptominers

Cado Security Labs has identified a sophisticated cryptomining campaign exploiting misconfigured Jupyter Notebooks, targeting...

AWS SNS Exploited for Data Exfiltration and Phishing Attacks

Amazon Web Services' Simple Notification Service (AWS SNS) is a versatile cloud-based pub/sub service...

Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware

A recent alert from the Akamai Security Intelligence and Response Team (SIRT) has highlighted...

Cisco Warns of Critical IOS XR Vulnerability Enabling DoS Attacks

Cisco has issued a security advisory warning of a vulnerability in its IOS XR...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploiting Exposed Jupyter Notebooks to Deploy Cryptominers

Cado Security Labs has identified a sophisticated cryptomining campaign exploiting misconfigured Jupyter Notebooks, targeting...

AWS SNS Exploited for Data Exfiltration and Phishing Attacks

Amazon Web Services' Simple Notification Service (AWS SNS) is a versatile cloud-based pub/sub service...

Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware

A recent alert from the Akamai Security Intelligence and Response Team (SIRT) has highlighted...