Ivanti VPN Attacks Started In Mid-December, May Have Links To China: Mandiant

Researchers at the Google Cloud-owned cybersecurity specialist say they know of ‘multiple organizations’ impacted by the exploitation of a critical Ivanti Connect Secure vulnerability.

Attacks exploiting a critical-severity vulnerability in Ivanti’s Connect Secure VPN began at least as far back as mid-December and may be connected to a China-based threat group, according to researchers at Mandiant.

The Google Cloud-owned cybersecurity specialist is currently working with “multiple” victims impacted by the exploitation of the zero-day vulnerability (tracked at CVE-2025-0282), which can enable attackers to remotely execute code without authentication.

Malware used in at least one instance during the attacks shows possible links to a China-based threat actor, according to Mandiant researchers. And notably, the group may be a part of the same espionage-focused hacking operation held responsible for the widespread Ivanti Connect Secure compromises in early 2024, the researchers said.

In a statement provided to CRN on Wednesday, Ivanti said that it is “actively working with affected customers” following the “limited exploitation” of the critical vulnerability.

The critical Connect Secure vulnerability and a high-severity vulnerability in the appliances (tracked at CVE-2025-0283) — which has not seen exploitation so far — were disclosed Wednesday by Ivanti.

“Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024,” the company’s researchers wrote in a post Wednesday. “Mandiant is currently performing analysis of multiple compromised Ivanti Connect Secure appliances from multiple organizations.”

According to Mandiant, at least one compromised appliance that has been examined has been infected by a malware family known as “SPAWN” — which has been exclusively connected to a China-based threat actor, tracked as UNC5337, in the past.

UNC5337 is a “China-nexus cluster of espionage activity including operations that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024 and most recently as Dec. 2024,” the Mandiant researchers wrote.

Additionally, “Mandiant suspects with medium confidence that UNC5337 is part of UNC5221,” the researchers wrote.

UNC5221, meanwhile, is “a suspected China-nexus espionage actor that exploited vulnerabilities CVE-2023-46805 and CVE-2024-21887, which impacted Ivanti Connect Secure VPN and Ivanti Policy Security appliances as early as December 2023,” the Mandiant researchers wrote, referencing the two vulnerabilities that were widely exploited in early 2024.

Researchers said thousands of Ivanti VPN devices were compromised during the wave of attacks, with the list of victims including the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Patch Available

Ivanti said in a statement provided to CRN Thursday that the company "worked in close collaboration with Mandiant on the analysis of the recently disclosed vulnerabilities to ensure the accuracy of the findings and in order to provide customers with the most comprehensive guidance possible.”

In its advisory about the latest Connect Secure vulnerabilities Wednesday, Ivanti said that customers should perform a scan with the vendor’s Integrity Checker Tool (ICT), and then can upgrade to Ivanti Connect Secure 22.7R2.5 if they receive a “clean internal and external ICT scan.”

For customers who perform a test that “shows signs of compromise,” they should factory reset the VPN device before putting the appliance back online with version 22.7R2.5, the company said.

In its statement to CRN, Ivanti said the ICT has been “effective in identifying compromise related to this vulnerability.”

“We strongly advise customers to closely monitor their internal and external ICT as part of a robust and layered approach to cybersecurity,” the company said.