Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability in Ivanti Connect Secure (ICS) appliances, tracked as CVE-2025-0282.

This zero-day vulnerability, a stack-based buffer overflow with a CVSS score of 9.0, has been leveraged by attackers to deploy the advanced SPAWNCHIMERA malware.

The flaw permits unauthenticated remote code execution, enabling attackers to infiltrate networks and compromise critical systems.

Malware Deployment

Ivanti disclosed the vulnerability in January 2025, but evidence indicates that exploitation began as early as December 2024.

The SPAWNCHIMERA malware, an evolution of the SPAWN malware family, was observed being deployed post-exploitation.

This sophisticated malware integrates enhanced features from its predecessors SPAWNANT, SPAWNMOLE, and SPAWNSNAIL making it more resilient and harder to detect.

Key updates in SPAWNCHIMERA include:

• Inter-process communication via UNIX domain sockets: This change obfuscates malicious traffic and evades traditional detection tools.
• Dynamic patching of CVE-2025-0282: The malware hooks into the vulnerable strncpy function to mitigate further exploitation by other attackers.
• Enhanced obfuscation: Critical components, such as private keys and traffic decoding mechanisms, are now encrypted or dynamically decoded during runtime.
• Debugging resistance: Debug messages have been stripped from the malware codebase to complicate forensic analysis.

The exploitation of CVE-2025-0282 has affected multiple organizations globally, with Shadowserver scans detecting hundreds of compromised ICS devices.

The deployment of SPAWNCHIMERA underscores the increasing sophistication of cyberattacks targeting network edge devices like VPN appliances.

According to the JPCERT, Ivanti has released patches for ICS (version 22.7R2.5) to address this critical vulnerability.

However, remediation efforts have been slow, with thousands of devices still exposed as of early February 2025.

Organizations are urged to:

1. Apply the latest security updates immediately.
2. Use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise.
3. Conduct factory resets on compromised devices before redeployment.

Broader Threat Landscape

The SPAWNCHIMERA campaign highlights the persistent risks posed by unpatched vulnerabilities in widely used enterprise systems.

Attackers leveraging such flaws can gain unauthorized access to sensitive data, escalate privileges, and establish long-term persistence within networks.

Experts warn that network edge devices remain high-value targets for state-sponsored actors and cybercriminals alike.

Organizations must prioritize robust patch management and adopt proactive monitoring solutions to mitigate these evolving threats effectively.

This incident serves as a stark reminder for enterprises to remain vigilant against zero-day exploits and invest in comprehensive cybersecurity defenses to safeguard their infrastructure against advanced persistent threats like SPAWNCHIMERA.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free