Chinese Hackers Exploit Ivanti VPN Vulnerabilities to Infiltrate Organizations
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A China-linked advanced persistent threat (APT) group has exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organizations across 12 countries and 20 industries, cybersecurity firm TeamT5 revealed in a report shared with Cyber Security News. <\/p>\n
The campaign, active since late March 2025, leverages the CVE-2025-0282<\/a> and CVE-2025-22457<\/a> vulnerabilities both stack-based buffer overflow flaws with maximum CVSS scores of 9.0\u2014to deploy the SPAWNCHIMERA malware suite and establish persistent network access.<\/p>\n The attacks impacted entities in Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan, the UAE, the UK, and the U.S. Targeted industries span high-value sectors such as government agencies, financial institutions, telecommunications, law firms, and intergovernmental organizations, TeamT5 said<\/a>.<\/p>\n The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.<\/p>\n The APT group, assessed by Mandiant as UNC5221 with ties to Chinese state interests, weaponized the Ivanti vulnerabilities to achieve unauthenticated remote code execution (RCE).<\/p>\n Once inside, attackers deployed SPAWNCHIMERA<\/a>, a modular malware ecosystem designed explicitly for Ivanti appliances. Key components include:<\/p>\n The malware\u2019s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied.<\/p>\n Security analysts at Rapid7 confirmed the vulnerabilities\u2019 exploitability, noting that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponized for RCE.<\/p>\n Since April 2025, mass exploitation attempts have rendered many Ivanti VPN appliances unstable, with failed attacks causing widespread service disruptions.<\/p>\n Despite Ivanti\u2019s patches released in February, thousands of devices remain unpatched due to sluggish enterprise remediation efforts.<\/p>\n Mandiant warns that the SPAWNCHIMERA<\/a> toolkit\u2019s sophistication, including UNIX socket communication and obfuscated payloads\u2014reflects Beijing\u2019s growing focus on cyber espionage against geopolitical rivals.<\/p>\n TeamT5 urges affected organizations to:<\/p>\n The campaign underscores the persistent risks of unpatched network edge devices, particularly VPN gateways<\/a>. As Chinese APTs increasingly target legacy systems, CISA has mandated federal agencies to patch Ivanti vulnerabilities by January 15, 2025\u2014a deadline many missed, exacerbating the crisis. <\/p>\n With over 1,700 devices compromised globally and exploitation attempts surging, analysts warn that the operational fallout could persist for years.<\/p>\n \u201cThe attackers mapped critical infrastructure, suggesting preparations for future disruptive operations.\u201d As geopolitical tensions escalate, the incident highlights the urgent need for proactive vulnerability management and cross-sector threat intelligence sharing.<\/p>\n The post Chinese Hackers Exploit Ivanti VPN Vulnerabilities to Infiltrate Organizations<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Analysis of the Exploitation Chain<\/strong><\/h2>\n
\n
\n
Equip your team with real-time threat analysis With ANY.RUN\u2019s interactive cloud sandbox ->\u00a0Try 14-day Free Trial<\/a><\/code><\/strong><\/p>\n