IVANTI reported the beginning of the active exploitation of critical vulnerability cve-2025-0282 (CVSS 9.0), affecting products Connect Secure (up to version 22.7r2.5), Policy Secure (up to version 22.7R1.2) and Neurons for ZTA Gateway (up to version 22.7R2.3). This vulnerability is a stack buffer overflow, allowing attackers to execute remote code without authorization.
iVanti reported that the threat was identified thanks to the Integrity Checker Tool (ICT) which recorded activity on the day of its manifestation. This allowed the company to quickly release fixes. In parallel, the vulnerability cve-2025-0283 (CVSS 7.0) was also disclosed and resolved, allowing local users to escalate their privileges. Fixes are available in version 22.7R2.5.
Mandiant was utilized by hackers associated with the Chinese group unc5337 in a series of attacks that led to the discovery of previously unknown malicious programs like Dryhook and Phasejam.
The attacks involved disabling SELINUX, tampering with logs, inserting web-shells, and deploying ELF-racers like Phasejam. This script obstructs system updates and alters file components. The web-shells used enable attackers to send commands, upload files, and access data.
The operation also included:
- Conducting internal network reconnaissance using NMAP and DIG tools.
- Utilization of LDAP for Active Directory requests and lateral movement.
- Theft of VPN sessions database, API keys, and accounting information.
- Password harvesting through the Python-script Dryhook.
CISA added cve-2025-0282 to the list of well-known exploited vulnerabilities and mandated federal agencies to implement necessary security updates by January 15, 2025. Organizations are advised to conduct system scans for signs