CyberSecurity news

FlagThis - #ivanti

@cyble.com //
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.

The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches.

The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks.

Recommended read:
References :
  • securityaffairs.com: China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure
  • ciso2ciso.com: China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and Asia-Pacific, according to EclecticIQ.
  • The Hacker News: Researchers from EclecticIQ observed a China-linked APT group that chained two Ivanti EPMM flaws, tracked as CVE-2025-4427 and CVE-2025-4428, in attacks against organizations in Europe, North America, and Asia-Pacific.

info@thehackernews.com (The@The Hacker News //
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.

UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor.

Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities.

Recommended read:
References :
  • Cisco Talos Blog: Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.
  • securityonline.info: Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382
  • The Hacker News: Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks
  • BleepingComputer: Chinese hackers breach US local governments using Cityworks zero-day
  • bsky.app: Cisco Talos says a group tracked as UAT-6382 has used a recent Trimble CityWorks zero-day (CVE-2025-0944) to breach local governing bodies in the US
  • securityonline.info: SecurityOnline.info article on critical 0-day Cityworks flaw exploited by Chinese APT UAT-6382
  • malware.news: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Chinese Hackers Exploit Cityworks Zero-Day Vulnerability in US Local Governments
  • www.scworld.com: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Exploitation of Ivanti EPMM Vulnerabilities by Chinese Hackers: A Detailed Analysis
  • BleepingComputer: Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies
  • securityaffairs.com: Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • blog.talosintelligence.com: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
  • www.techradar.com: The Chinese used the Cityworks bug to deploy Cobalt Strike beacons and backdoors.
  • www.cybersecuritydive.com: Cisco Talos researchers attribute the exploitation of the CVE-2025-0994 in Trimble Cityworks to Chinese-speaking threat actor UAT-6382, based on tools and TTPs used in the intrusions.
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • Blog: The Chinese-speaking cyber-espionage group identified as UAT-6382 has been observed exploiting a critical vulnerability in Trimble's Cityworks software to infiltrate U.S. government networks.
  • StateScoop: Report: Chinese hackers used Cityworks vulnerability to deliver malware
  • Cisco Talos Blog: Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.
  • hackread.com: Warnings on active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks.

@securityonline.info //
A new wave of cyberattacks has been detected targeting Ivanti Connect Secure VPN devices, exploiting the zero-day vulnerability CVE-2025-0282. This vulnerability is being leveraged to deploy a previously unseen malware called DslogdRAT, along with a Perl-based web shell. The attacks, which initially targeted organizations in Japan around December 2024, involve the web shell being used for remote command execution, ultimately leading to the installation of DslogdRAT for persistence and command-and-control (C2) communication. Researchers at JPCERT/CC have been closely analyzing this malware and the methods used in these attacks.

The attack sequence begins with the exploitation of the CVE-2025-0282 vulnerability. Once exploited, a Perl web shell is deployed, which is used to execute commands, including those that lead to the installation of DslogdRAT. DslogdRAT establishes a socket connection with an external server, transmitting basic system information and awaiting further instructions. This allows attackers to execute shell commands, upload and download files, and even use the compromised host as a proxy. The malware is designed to operate primarily during business hours, likely to avoid detection, and uses a simple XOR-based encoding method to protect its communication with the C2 server.

Notably, the SPAWNSNARE backdoor has also been observed on systems compromised in these attacks. While it is unclear whether the DslogdRAT campaign is connected to previous attacks involving the SPAWN malware family attributed to the Chinese hacking group UNC5221, the use of CVE-2025-0282 as an initial access vector is a common thread. Furthermore, threat intelligence firms have noted a significant increase in scanning activity targeting Ivanti ICS and Ivanti Pulse Secure appliances, suggesting a coordinated reconnaissance effort that could precede further exploitation attempts. Users of Ivanti Connect Secure VPN devices are strongly advised to apply the available patches and monitor their systems for any signs of compromise.

Recommended read:
References :
  • blogs.jpcert.or.jp: JPCERT/CC: DslogdRAT malware targeting Ivanti Connect Secure
  • thecyberexpress.com: The Cyber Express on DslogdRAT Malware
  • The Hacker News: The Hacker News on DslogdRAT Malware
  • bsky.app: Japan's CERT looks at DslogdRAT, a web shell deployed on hacked Ivanti Connect Secure devices
  • securityaffairs.com: SecurityAffairs: JPCERT warns of DslogdRAT malware deployed in Ivanti Connect Secure
  • cyberpress.org: CyberPress on Ivanti Connect Secure 0-Day Exploited by Hackers to Install DslogdRAT and Web Shell
  • securityonline.info: SecurityOnline: DslogdRAT Malware Targets Ivanti Connect Secure via CVE-2025-0282 Zero-Day Exploit
  • securityonline.info: DslogdRAT Malware Targets Ivanti Connect Secure via CVE-2025-0282 Zero-Day Exploit
  • BleepingComputer: BleepingComputer reports about DslogdRAT Malware being deployed via IVANTI zero day
  • gbhackers.com: Hackers Exploited Ivanti Connect Secure 0-Day to Deploy DslogdRAT and Web Shell

@cloud.google.com //
A Chinese cyber-espionage group, identified as UNC5221, is actively exploiting a zero-day vulnerability, CVE-2025-22457, in Ivanti Connect Secure. UNC5221 is suspected to be a China-nexus cyber-espionage group known for aggressively targeting edge network devices, such as VPNs, firewalls, and routers, with zero-day exploits since at least 2023. This vulnerability allows for unauthenticated remote code execution, giving attackers the ability to gain unauthorized access to organizations’ networks. The group has a history of quickly leveraging new flaws in Ivanti's Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances.

The latest campaign, launched in mid-March 2025, involves deploying the BRICKSTORM backdoor in targeted cyberespionage campaigns across Europe, including U.S.-based targets. This backdoor has evolved, with the Windows version now leveraging network tunneling capabilities and valid credentials to compromise Remote Desktop Protocol and Server Message Block, unlike the original Linux-targeting payload. The campaign is part of a broader trend of Chinese state-sponsored attackers focusing on internet-facing infrastructure for espionage, impacting government and enterprise networks globally.

Ivanti released a patch for CVE-2025-22457 on April 3, 2025, which affects Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability is a stack-based buffer overflow that can be exploited by sending a crafted HTTP request with an overly long X-Forwarded-For header. CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and recommends immediate action. Organizations using vulnerable Ivanti devices are strongly advised to apply the patch immediately and continuously monitor their external attack surface.

Recommended read:
References :
  • watchTowr Labs: Watchtowr description
  • Resources-2: Who Is the China-Nexus Group UNC5221? UNC5221 is a suspected China-nexus cyber-espionage group known for aggressively targeting edge network devices (VPNs, firewalls, routers) with zero-day exploits since at least 2023 .
  • www.scworld.com: Organizations across Europe are having their Windows systems compromised with the BRICKSTORM backdoor linked to Chinese state-backed threat operation UNC5221 as part of a cyberespionage campaign that commenced three years ago, Infosecurity Magazine reports.
  • blog.criminalip.io: Response Strategy for Ivanti VPN Vulnerability CVE-2025-22457: CTI-Based Attack Surface Detection
  • Threat Intelligence: Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)
  • thecyberexpress.com: DslogdRAT Malware Deployed in Ivanti Connect Secure Zero-Day Campaign
  • The Hacker News: Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS).
  • securityaffairs.com: JPCERT warns of DslogdRAT malware deployed in Ivanti Connect Secure
  • cloud.google.com: Written by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie On Thursday, April 3, 2025, Ivanti a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICSâ€) VPN appliances version 22.7R2.5 and earlier.

Pierluigi Paganini@securityaffairs.com //
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP, to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows confirmed active exploitation of the vulnerability in the wild, targeting multiple sectors including retail, marketing, and semiconductor industries. The flaw, present in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, allows unauthenticated remote attackers to potentially take over susceptible instances of CrushFTP file transfer software if exposed publicly over HTTP(S).

The vulnerability stems from a weakness in the HTTP authorization header, enabling attackers to authenticate to any known or guessable user account, such as "crushadmin," potentially leading to a full system compromise. CrushFTP released fixes for the issue in versions 10.8.4 and 11.3.1, urging customers to update their systems immediately. Initial disclosure of the vulnerability has been controversial, with accusations of premature disclosure and attempts to conceal the issue to allow time for patching. Despite the controversy, the inclusion of CVE-2025-31161 in the KEV catalog signifies its high risk and the need for immediate action.

SecurityWeek reports that the ongoing exploitation of the vulnerability has seen attackers deploying tools like MeshAgent for remote monitoring and DLL files indicative of Telegram bot utilization for data exfiltration. In some instances, AnyDesk has been installed prior to the deployment of SAM and System registry hives for credential compromise. FortiGuard Labs has also observed in-the-wild attack attempts targeting CVE-2025-31161. Although Shadowserver Foundation reports a decline in attacks since patches were issued on March 21, 2025, the CISA's warning and inclusion in the KEV catalog emphasize the persistent threat and the critical need for organizations to apply the necessary updates.

Recommended read:
References :
  • The Hacker News: CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation
  • www.cybersecuritydive.com: CISA adds Ivanti Connect Secure vulnerability to KEV catalog
  • fortiguard.fortinet.com: FortiGuard Labs has observed in-the-wild attack attempts targeting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP managed file transfer (MFT) software
  • securityboulevard.com: Imperva Customers Are Protected Against CVE-2025-31161 in CrushFTP
  • www.scworld.com: Attacks involving critical CrushFTP vulnerability target several sectors
  • DataBreaches.Net: CISA, experts warn of Crush file transfer attacks after a controversial disclosure

Rescana@Rescana //
CISA has issued an urgent warning regarding a critical authentication bypass vulnerability, CVE-2025-31161, in CrushFTP, a widely-used file transfer server solution. The agency has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that it is actively being exploited in the wild. This flaw allows attackers to bypass authentication mechanisms and potentially gain unauthorized administrative access to vulnerable CrushFTP servers, posing significant risks to both government agencies and private organizations. Federal cybersecurity officials are urging immediate action to mitigate the threat.

The vulnerability, which affects CrushFTP server versions before 10.8.4 and 11.3.1, stems from improper validation of authentication tokens in the CrushFTP login process. An attacker can manipulate HTTP request parameters to gain unauthorized administrative access. CISA’s advisory highlights that exploitation could lead to a full system compromise. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability by April 28, 2025, emphasizing the severity of the risk.

CISA strongly encourages all organizations, including private sector entities and state governments, to prioritize patching CVE-2025-31161 and adopt similar vulnerability management strategies. To mitigate the risk, organizations using CrushFTP should immediately apply available patches or updates issued by the software's developers. Additionally, reviewing system logs for any unusual activity is advised. The Cybersecurity and Infrastructure Security Agency emphasizes that this authentication bypass vulnerability represents a severe security risk, potentially allowing complete compromise of affected CrushFTP servers, and has observed sophisticated threat actors actively exploiting it to establish persistent access to critical systems.

Recommended read:
References :
  • Cyber Security News: CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks
  • thecyberexpress.com: CISA Warns of CrushFTP Exploit Letting Attackers Bypass Authentication
  • The Hacker News: CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation
  • ciso2ciso.com: CISA Warns of CrushFTP Vulnerability Exploitation in the Wild – Source: www.infosecurity-magazine.com
  • cyberpress.org: CISA Warns of CrushFTP Authentication Bypass Vulnerability Exploited in Attacks
  • gbhackers.com: CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability
  • gbhackers.com: CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability
  • fortiguard.fortinet.com: FortiGuard Labs has observed in-the-wild attack attempts targeting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP managed file transfer (MFT) software.
  • www.scworld.com: Attacks involving critical CrushFTP vulnerability target several sectors

do son@Daily CyberSecurity //
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.

RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.

Recommended read:
References :
  • securityonline.info: CISA Warns of RESURGE Malware: Exploiting Ivanti Vulnerability
  • Cyber Security News: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).
  • bsky.app: CISA has published a technical report on RESURGE, a web shell installed on Ivanti Connect Secure devices via CVE-2025-0282
  • thehackernews.com: RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features
  • securityaffairs.com: CISA warns of RESURGE malware exploiting Ivanti flaw
  • Help Net Security: CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.
  • : It’s the end of March 2025...of course CISOs still need to worry about Ivanti Connect Secure flaws.
  • www.cybersecuritydive.com: CVE-2025-0282, a critical vulnerability that affects Ivanti’s Connect Secure, Policy Secure and ZTA Gateway products, was disclosed and patched in January.
  • : CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
  • thecyberexpress.com: CISA Details New Malware Used in Ivanti Attacks
  • Sam Bent: A newly discovered malware named RESURGE is targeting Ivanti Connect Secure vulnerabilities, delivering stealth capabilities like rootkits and web shells. Tied to China-linked espionage groups.
  • The Register - Security: CISA spots spawn of Spawn malware targeting Ivanti flaw
  • Arctic Wolf: CVE-2025-22457: Ivanti Connect Secure VPN Vulnerable to Zero-Day RCE Exploitation
  • cert.europa.eu: 2025-016: Critical Vulnerability in Ivanti Products
  • securityonline.info: CVE-2025-22457: UNC5221 Exploits Ivanti Zero-Day Flaw to Deploy TRAILBLAZE and BRUSHFIRE Malware
  • Help Net Security: Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
  • securityaffairs.com: China-linked group UNC5221 exploited Ivanti Connect Secure zero-day since mid-March
  • The Register - Security: Suspected Chinese spies right now hijacking buggy Ivanti gear – for third time in 3 years
  • www.bleepingcomputer.com: Ivanti patches Connect Secure zero-day exploited since mid-March
  • BleepingComputer: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
  • Threats | CyberScoop: China-backed espionage group hits Ivanti customers again
  • www.scworld.com: Mandiant warns of attacks on newly-disclosed Ivanti remote takeover threat
  • The Hacker News: Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
  • bsky.app: Mandiant links the exploitation of a Connect Secure vulnerability to a China-linked APT (UNC5221).
  • bsky.app: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
  • research.kudelskisecurity.com: CVE-2025-22457: Critical Ivanti Connect Secure Vulnerability
  • Arctic Wolf: Ivanti disclosed a critical zero-day vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways
  • Vulnerable U: The vulnerability affects many versions of Ivanti appliances and is being exploited by a Chinese actor
  • darkwebinformer.com: CVE-2025-22457: April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)

Mandvi@Cyber Security News //
CISA has added three critical Ivanti Endpoint Manager (EPM) flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. The affected vulnerabilities are CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161. These flaws are absolute path traversal vulnerabilities that could allow remote, unauthenticated attackers to fully compromise vulnerable servers, potentially granting unauthorized access to sensitive information. Federal agencies have been given until March 31, 2025, to apply the necessary patches and mitigate these threats.

CISA urges all organizations, including those in the private sector, to prioritize timely remediation of these Ivanti EPM vulnerabilities. Security experts warn that delays in patching can lead to full domain compromise, credential theft, and lateral movement by malicious actors. Given the recent history of Ivanti vulnerabilities, proactive security measures and rapid patching are essential to defend against potential attacks. The large market share of Ivanti products makes them a prime target for malicious actors, emphasizing the importance of immediate patching and continuous hardening of systems.

Recommended read:
References :
  • BleepingComputer: CISA tags critical Ivanti EPM flaws as actively exploited in attacks
  • : CISA Urges All Organizations to Patch Exploited Critical Ivanti Vulnerabilities
  • www.scworld.com: 3 Ivanti flaws added to CISA list of known exploited vulnerabilities
  • The DefendOps Diaries: Addressing Critical Vulnerabilities in Ivanti Endpoint Manager
  • www.cybersecuritydive.com: CISA: 3 Ivanti endpoint vulnerabilities exploited in the wild
  • Cyber Security News: CISA Adds 3 Ivanti Endpoint Manager Flaws to Exploited Vulnerabilities Catalog