Targeted Attacks on Ivanti Connect Secure Appliances: A Closer Look at CVE-2025-0282 Exploits

A new and alarming wave of cyberattacks has been targeting Ivanti Connect Secure appliances, exploiting a zero-day vulnerability tracked as CVE-2025-0282. These attacks, observed in December 2024, have significantly impacted organizations in Japan, exposing critical weaknesses in enterprise remote access infrastructure. This recent breach marks a continued trend of sophisticated malware campaigns that have been increasingly focused on remote access systems, following previous incidents involving malware like SPAWNCHIMERA. The following explores the details of these attacks, the methodologies employed by cybercriminals, and what businesses can do to defend themselves.

the Attacks: New Vulnerabilities and Their Impact

In December 2024, a zero-day vulnerability in Ivanti Connect Secure appliances, identified as CVE-2025-0282, became the focal point of a series of targeted cyberattacks against organizations in Japan. These attacks exploited previously unknown flaws in the remote access infrastructure, exposing organizations to significant risks. The attackers gained initial access through a simple but effective method—a Perl-based web shell that bypassed traditional defenses.

The web shell functioned by analyzing HTTP requests for a specific cookie value, allowing attackers to execute arbitrary commands if the request matched. This vulnerability served as a foothold for the attackers, enabling them to deploy subsequent malware such as DslogdRAT.

DslogdRAT, a remote access trojan (RAT), was used in a multi-stage execution process. Once launched, the RAT’s main process spawned child processes to handle different stages of operation. The RAT used a sleep loop for persistence, minimized detection, and communicated with a command-and-control (C2) server during business hours (8:00 AM to 8:00 PM) to avoid triggering security alarms. DslogdRAT’s advanced encoding methods, such as XOR encryption with incrementing keys, further obscured the attackers’ actions, making detection even more difficult.

In addition to DslogdRAT, forensic investigations revealed the presence of SPAWNSNARE malware, which is associated with the SPAWN malware family, previously linked to the UNC5221 threat group. While it’s unclear whether this malware is directly related to the CVE-2025-0282 exploit, the simultaneous presence of these threats highlights the increasingly complex nature of modern cyberattacks targeting remote access platforms.

JPCERT/CC has warned that the exploitation of CVE-2025-0282, along with other vulnerabilities such as CVE-2025-22457, poses a significant risk to organizations, urging them to stay vigilant, patch their systems, and remain aware of the evolving tactics used by threat actors.

What Undercode Say:

The CVE-2025-0282 vulnerability illustrates an alarming trend of cyberattacks targeting enterprise remote access systems. These platforms, which facilitate secure access to internal networks, are prime targets for threat actors looking to exploit weaknesses and infiltrate organizations. The exploitation of Ivanti Connect Secure appliances demonstrates how attackers are evolving in their techniques, making use of sophisticated malware like DslogdRAT to evade detection and persist on compromised systems for extended periods.

One of the key takeaways from this incident is the reliance on web shells as an entry point for attackers. Web shells are simple yet powerful tools that enable attackers to bypass traditional security defenses, offering them a relatively low-risk method to establish a foothold within a network. The use of a Perl-based web shell in this case highlights the attackers’ preference for lightweight and effective means of exploiting vulnerabilities. It’s also worth noting that these web shells can often go undetected due to their minimalistic nature and ability to blend in with legitimate network traffic.

The multi-stage nature of DslogdRAT adds another layer of complexity to the attack. By splitting the malware into separate child processes and using a sleep loop for persistence, the attackers can ensure that their presence on a compromised system remains hidden for long periods. This strategy makes detection much more challenging for security professionals who may be focused on immediate, more obvious threats.

Additionally, the time-based communication feature of DslogdRAT, which limits active interactions to business hours, is a noteworthy tactic. By reducing activity outside of typical working hours, the malware reduces the likelihood of being detected by automated security systems that are designed to flag anomalous behavior during off-hours. This tactic highlights how attackers are increasingly aware of the need to evade detection by security solutions, particularly as these systems become more advanced.

The inclusion of SPAWNSNARE malware, linked to the SPAWN malware family, adds another layer of complexity to the situation. This suggests that threat actors may be working in tandem or sharing infrastructure to maximize the impact of their attacks. The continued presence of these threats underscores the evolving nature of cybercriminal operations, where multiple strains of malware are deployed in concert to create a more resilient attack strategy.

Fact Checker Results

Recent reports from JPCERT/CC validate the existence of the CVE-2025-0282 vulnerability, confirming the exploit was used in real-world attacks. The presence of both DslogdRAT and SPAWNSNARE malware on the same compromised systems further substantiates the findings. However, it remains unconfirmed whether the attacks were directly linked to the same threat group, suggesting ongoing investigations.