A severe vulnerability in Ivanti Connect Secure VPN, tracked as CVE-2025-0282, has been exploited by multiple threat actors to deploy advanced malware known as SPAWNCHIMERA.
Disclosed in January 2025, this stack-based buffer overflow vulnerability enables unauthenticated remote attackers to execute arbitrary code on affected systems.
With a CVSS score of 9.0, the flaw poses a significant risk to organizations relying on Ivanti’s remote access solutions.
The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) confirmed that exploitation began as early as December 2024, prior to public disclosure.
Attackers leveraged this vulnerability to infiltrate networks and install SPAWNCHIMERA, a sophisticated evolution of the SPAWN malware family previously identified by Google’s Mandiant team.
SPAWNCHIMERA: A Sophisticated Malware Variant
SPAWNCHIMERA integrates features from earlier variants SPAWNANT, SPAWNMOLE, and SPAWNSNAIL making it more evasive and capable of advanced operations.
Key technical enhancements include:
- Inter-Process Communication Changes: The malware replaces TCP-based communication with UNIX domain sockets located at
/home/runtime/tmp/.logsrv, reducing visibility in network monitoring tools likenetstat. - Dynamic Vulnerability Fixing: Uniquely, SPAWNCHIMERA patches the exploited CVE-2025-0282 vulnerability by hooking the
strncpyfunction and limiting its copy size to 256 bytes. This prevents subsequent exploitation by other attackers or proof-of-concept (PoC) scans. - Enhanced Decoding Mechanisms: The malware encodes its private SSH key within the binary and decodes it at runtime using an XOR-based function. This eliminates file artifacts, leaving fewer forensic traces.
- Removal of Debug Messages: Debugging features have been stripped from both SPAWNCHIMERA and its associated payloads, complicating reverse engineering efforts.
These advancements highlight the attackers’ focus on maintaining persistence while evading detection and analysis.
Broader Implications
The exploitation of CVE-2025-0282 underscores the growing sophistication of cyber threats targeting VPN appliances.
Researchers have linked some attacks to Chinese espionage groups, though attribution remains inconclusive for all incidents.
The use of encoded keys, self-patching mechanisms, and stealthier communication methods reflects a shift toward more advanced post-exploitation techniques.
Ivanti has released patches addressing CVE-2025-0282 and recommends immediate updates for all affected appliances.
Administrators are urged to apply these fixes and utilize Ivanti’s updated Integrity Checker Tool (ICT) to detect signs of compromise.
For compromised devices, a factory reset is advised before reapplying updates.
Organizations must remain vigilant against such sophisticated threats by implementing robust patch management practices and monitoring for suspicious activity across their networks.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
