Ivanti Networks Hit By Sophisticated Malware Attacks Over Critical Security Hole

Sophisticated Malware Attacks Leave Networks Vulnerable Using Ivanti VPNs

A well-coordinated campaign of cyberattacks has been targeting networks protected by Ivanti VPNs, exploiting a critical vulnerability to gain complete control over connected devices. The attacks, which have been ongoing since mid-December, leave many organizations vulnerable to devastating consequences.

Ivanti, a leading hardware manufacturer, recently disclosed the vulnerability, tracked as CVE-2025-0282, and warned that it was under active exploitation against some customers. The vulnerability, present in Ivanti’s Connect Secure VPN and Policy Secure & ZTA Gateways, allows hackers to execute malicious code with no authentication required. In response, Ivanti released a security patch that upgrades Connect Secure devices to version 22.7R2.5.

According to Google-owned security provider Mandiant, the vulnerability has been actively exploited against “multiple compromised Ivanti Connect Secure appliances” since mid-December. The attackers, who appear to be well-resourced and sophisticated, have installed two new malware packages on infected devices: DRYHOOK and PHASEJAM. PHASEJAM is a particularly insidious bash shell script that installs a web shell, allowing remote hackers to gain privileged control of the device.

Once inside, PHASEJAM injects a malicious function into the Connect Secure update mechanism, simulating an upgrade process to conceal its malicious activities. If an administrator attempts to upgrade the software, the function displays a convincing upgrade process with step-by-step progress indicators, complete with mock dots and numbers, to distract from its true intentions.

In addition to PHASEJAM, attackers are also using SPAWNANT malware on some devices, which disables an integrity checker tool (ICT) that Ivanti has built into recent VPN versions. This allows the malware to replace the expected SHA256 cryptographic hash of a core file with the actual infected version, rendering the integrity checker useless.

The attacks highlight the critical importance of timely patching and vigilance in the face of sophisticated cyber threats. Mandiant noted that if an ICS administrator attempts an upgrade, the function displays a visually convincing upgrade process that shows each of the steps along with various numbers of dots to mimic a running process. This serves as a stark reminder that even well-established security solutions can be vulnerable to exploitation.

Organizations relying on Ivanti VPNs must take immediate action to protect their networks. This includes patching the vulnerable software, conducting regular security audits, and staying vigilant for signs of suspicious activity. With the rise of advanced threat actors and increasingly sophisticated malware, vigilance is essential to preventing devastating cyber incidents.