Ivanti has warned of active exploitation of a critical vulnerability, CVE-2025-0282 (CVSS 9.0), in Ivanti Connect Secure, Policy Secure, and ZTA Gateways since December 2024. This stack-based buffer overflow can lead to unauthenticated remote code execution, with exploitation attributed to a China-linked threat actor, UNC5337. Another high-severity flaw, CVE-2025-0283 (CVSS 7.0), allowing privilege escalation, has also been patched. Attackers deploy advanced malware like SPAWN, DRYHOOK, and PHASEJAM to disable security features, maintain persistence, exfiltrate data, and disrupt legitimate system updates. The U.S. CISA has mandated patching by January 15, 2025, and urged organizations to monitor for compromises.

‍