TeamT5 Warns of Global Risks Posed by Ivanti Vulnerability

TAIPEI,April 24, 2025/PRNewswire/ --Asia Pacificthreat intelligence leading brand TeamT5 detected that theChina-nexus APT group exploited the critical vulnerability in Ivanti Connect Secure VPN appliances to infiltrate multiple entities around the globe. The victims include nearly 20 different industries across 12 countries. TeamT5 believes that the actor still maintained control over the victim's network at the time of analysis. We urge enterprises and organizations to take a comprehensive investigation.

Ivanti High-Risk Vulnerability Exposes Systems to Potential Takeover by Attackers

TeamT5's analysis assessed with high confidence that the actor was exploiting the vulnerabilities of Ivanti Connect Secure VPN appliances to launch attacks around the globe. The actor possibly exploitedCVE-2025-0282orCVE-2025-22457to conduct initial access.

BothCVE-2025-0282 andCVE-2025-22457 are stack buffer overflow vulnerabilities in Ivanti Connect Secure VPN with a CVSS score of 9.0. Successful exploitation allows the threat actor to achieve remote code execution, leading to intrusion of the internal network and malware implantation.

In the attack, the actor deployed a shared weapon among Chinese threat groups, SPAWNCHIMERA. SPAWNCHIMERA is developed specifically for Ivanti Connect Secure VPN and has all the functionalities of the notorious SPAWN family, including SPAWNANT (installer), SPAWNMOLE (socks5 tunnler), SPAWNSNAIL (SSH backdoor), and SPAWNSLOTH (log wiper).

Moreover, TeamT5's analysis suggests that other threat actors might also obtain the vulnerability information and start campaigns targeting Ivanti VPN appliances. We have observed massive exploitation attempts against Ivanti VPN appliances since April. Although most exploitation attempts failed, many Ivanti VPN appliances became paralyzed and unstable. 

Widespread Impact Across Countries and Industries Calls for Urgent System Review

TeamT5 points out that the victim countries includeAustria,Australia,France,Spain,Japan,South Korea,Netherlands,Singapore,Taiwan, theUnited Arab Emirates, theUnited Kingdom, andthe United States. The targeted industries include Automotive, Chemical, Conglomerate, Construction, Information Security, Education, Electronics, Financial Institution, Gambling, Government, Intergovernmental Organizations (IGOs), Information Technology, Law Firm, Manufacturing, Materials, Media, Non-Governmental Organizations (NGOs), Research Institute, and Telecommunication.

TeamT5 strongly recommends that affected organizations conduct a thorough incident investigation. Given the versatile TTPs of the actor, such as multi-layers of C2 infrastructure, evasion of monitor mechanism, and the usage of log wiper, without additional technical support, it would be a challenge to detect the actor's malicious traces inside the network. 

About TeamT5

TeamT5 consists of top cyber threat analysts. Leveraging our geographic and cultural advantages, we have the best understanding of cyber attackers inAsia Pacific. TeamT5 is frequently invited to share insights at top cybersecurity conferences. Our threat intelligence research expertise and solutions are recognized as the 2023-2024 Company of the Year Award in Taiwanese Threat Intelligence by Frost& Sullivan.

Based on our research in malware& Advanced Persistent Threat (APT), we provide cyber threat intelligence reports and anti-ransomware solutions to clients in theUSAandAsia Pacificregion. Clients include government agencies, financial business, and high tech enterprises.

Website:https://teamt5.org/en/

View original content to download multimedia:https://www.prnewswire.com/apac/news-releases/teamt5-warns-of-global-risks-posed-by-ivanti-vulnerability-302437073.html

SOURCE TeamT5