Chinese Hackers Exploiting Ivanti VPN Flaws to Breach Global Networks

In late March 2025, cybersecurity firm TeamT5 uncovered a sophisticated cyberattack campaign orchestrated by a China-nexus Advanced Persistent Threat (APT) group.

The attackers exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate networks across multiple industries and countries.

The campaign highlights the growing threat posed by state-sponsored cyber actors leveraging advanced tools and techniques to compromise sensitive systems worldwide.

Global Victimology

The scope of the attack is alarming, with victims spanning nearly twenty industries across twelve countries.

The affected nations include Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States.

Targeted industries range from critical infrastructure sectors like telecommunications and financial institutions to sensitive entities such as government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs).

Other impacted sectors include automotive, chemical, construction, electronics, education, information security, law firms, manufacturing, media, gambling, materials research institutes, and conglomerates.

This broad victim profile underscores the indiscriminate nature of the campaign and its potential to disrupt essential services globally.

Exploiting Critical Vulnerabilities

TeamT5’s analysis revealed that the attackers likely exploited two critical vulnerabilities in Ivanti Connect Secure VPN appliances: CVE-2025-0282 and CVE-2025-22457.

Both vulnerabilities are stack buffer overflow flaws with a Common Vulnerability Scoring System (CVSS) score of 9.0, indicating their high severity.

Successful exploitation enables remote code execution (RCE), allowing attackers to infiltrate internal networks and implant malware.

The attackers employed a specialized malware toolkit known as SPAWNCHIMERA.

This tool is specifically designed for Ivanti Connect Secure VPN appliances and incorporates functionalities from the notorious SPAWN malware family. Components of SPAWNCHIMERA include:

• SPAWNANT: An installer module
• SPAWNMOLE: A SOCKS5 tunneler
• SPAWNSNAIL: An SSH backdoor
• SPAWNSLOTH: A log wiper for erasing evidence

These tools enable attackers to maintain persistent access while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping capabilities.

Wider Implications

TeamT5 has observed increased exploitation attempts against Ivanti VPN appliances since April 2025. While many of these attempts failed, some devices became paralyzed or unstable due to the attacks.

The group warns that other threat actors may have obtained information about these vulnerabilities and could launch similar campaigns targeting Ivanti VPN appliances.

The versatile tactics, techniques, and procedures (TTPs) utilized by the attackers make detection particularly challenging without advanced technical support.

Their ability to evade monitoring mechanisms and erase traces of their activity further complicates incident response efforts.

Recommendations for Affected Organizations

TeamT5 strongly advises organizations using Ivanti Connect Secure VPN appliances to conduct thorough incident investigations to assess potential compromise.

Immediate actions include:

1. Patching systems to remediate CVE-2025-0282 and CVE-2025-22457 vulnerabilities.
2. Monitoring network traffic for signs of malicious activity.
3. Employing advanced threat detection tools capable of identifying stealthy TTPs.
4. Seeking professional cybersecurity assistance if needed.

This incident serves as a stark reminder of the critical importance of proactive cybersecurity measures in mitigating risks posed by increasingly sophisticated threat actors.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates