Listen to this Post
Introduction: A Breach That Refuses to Die
Six months after critical vulnerabilities were publicly disclosed and patched by Ivanti, Japanese organizations continue to suffer from relentless cyberattacks. Despite available fixes, attackers—most notably Chinese-backed threat groups—are still exploiting the same remote code execution (RCE) flaws. This enduring cybersecurity crisis raises serious concerns not only about patch management but also about broader structural weaknesses in how Japanese entities handle their infrastructure. From legacy system limitations to third-party outsourcing complications, the issue is proving far more persistent and damaging than initially feared.
the Original
In early 2025, Ivanti, a widely-used IT services provider, revealed two major vulnerabilities—CVE-2025-0282 and CVE-2025-22457—within its Connect Secure VPN software. Despite their critical severity ratings (9.0 and 9.8 out of 10 respectively), many systems, especially in Japan, remain unpatched. These vulnerabilities have allowed sustained attacks, predominantly by the Chinese-backed group UNC5221.
The exploit campaign started in December 2024 when these flaws were still zero-days. Attackers deployed a tool named SpawnChimera, which interestingly patched the very vulnerability it exploited to prevent rival hackers from gaining entry. Another malicious tool, DslogdRAT, was also deployed to maintain persistence and evade detection by operating during local business hours.
Later campaigns in March and April introduced new malware strains: MDifyLoader (a loader executing Cobalt Strike Beacons), Fscan (a network scanner with advanced EDR evasion), and vshell (a remote access Trojan with signs of Chinese origin).
The real challenge, however, lies in Japan’s widespread use of outdated Ivanti hardware. The end-of-life version 9.1x of Connect Secure cannot be upgraded due to hardware limitations, and the newer 22.x version requires a complete system overhaul or migration to Ivanti’s cloud-based ZTA platform. Because many Japanese organizations rely on third-party vendors for network management, the patching process is slower and more complex, contributing to the prolonged exploitation window.
A scan showed that Japan still has 327 vulnerable devices out of 384, with barely any progress in patch adoption. In contrast, the U.S. saw a modest decline in vulnerable systems from 852 to 540.
What Undercode Say: The Real Cost of Complacency
The ongoing exploitation of patched Ivanti vulnerabilities highlights a growing cybersecurity paradox: having a patch doesn’t mean you’re protected.
1. Patching
The situation in Japan underscores a disturbing reality—organizations aren’t failing due to lack of knowledge but because of outdated infrastructure and convoluted operational practices. If hardware can’t support new software, or if updates require expensive rip-and-replace efforts, many institutions opt for dangerous inertia.
2. Threat Actor Strategy: Precision and Patience
UNC5221 and associated malware strains like SpawnChimera and DslogdRAT represent a highly adaptive threat model. These actors don’t just exploit holes—they patch them after intrusion to monopolize access. That level of sophistication speaks to state-level backing and long-term operational goals, likely espionage or data exfiltration.
3. Outsourcing Without Oversight
Japan’s dependency on third-party IT vendors introduces complexity that dilutes responsibility. When an appliance is managed by a contractor several levels removed from the core organization, patching urgency is lost in the bureaucratic fog. This results in persistent vulnerabilities even when fixes exist.
4. Hardware Legacy as a National Weakness
Much of the issue revolves around legacy systems that simply can’t be updated. This is not just a Japanese problem; many global enterprises are caught in similar traps. But Japan’s numbers—327 unpatched devices in mid-2025—show that this is a national weak spot. Without significant investment in next-gen infrastructure or cloud migration, this attack vector will remain open.
5. Malware Evolution: From Breach to Ownership
Once initial access is gained, the attackers hand off access for deeper infiltration. This modular, multi-phase approach indicates a well-funded, highly coordinated offensive campaign. Malware like MDifyLoader and vshell not only evade detection but sustain long-term access. These aren’t smash-and-grab operations; they’re full-blown takeovers.
6. Cloud Migration Isn’t a Silver Bullet
While Ivanti encourages organizations to move to its cloud-based ZTA (Zero Trust Access) solution, migration is a long-term strategy, not an emergency patch. In the meantime, countless systems remain vulnerable, stuck between deprecation and modernization.
7. Global Implications
Though this issue is currently spotlighted in Japan, similar dynamics exist across APAC and EMEA regions where legacy systems and IT outsourcing are common. The persistence of these attacks suggests that other nations could be next unless proactive measures are taken.
8. The Bigger Picture: Operational Maturity in Cybersecurity
Ultimately, this story reveals a systemic failure in cyber hygiene, vendor accountability, and infrastructure readiness. It’s a warning not just to Japan, but to the entire global cybersecurity community: Patching is only half the battle. The other half is making sure those patches are physically, logistically, and economically deployable.
🔍 Fact Checker Results
✅ Fact 1: CVE-2025-0282 and CVE-2025-22457 were indeed patched by Ivanti in early 2025 but remain exploited due to hardware limitations.
✅ Fact 2: UNC5221 has been confirmed as the actor exploiting these bugs, per JPCERT/CC findings.
❌ Myth: All vulnerable systems can be patched immediately—many require full hardware replacement or cloud migration.
📊 Prediction: Persistent Threats Will Shift to New Vectors
If the hardware and procedural obstacles remain unaddressed, UNC5221 and other actors will continue to exploit Japan’s—and similar nations’—legacy tech stack. Worse, as new vulnerabilities emerge, attackers may diversify beyond Ivanti and begin targeting other infrastructure-level software vendors facing the same patch adoption bottlenecks. In the next 6–12 months, we may witness not just escalated exploitation but also expanded attacks into adjacent sectors like energy, healthcare, and logistics across Asia-Pacific.
References:
Reported By: www.darkreading.com
Extra Source Hub:
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
