Ivanti | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory. CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in February 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code. Previous findings from JPCERT/CC have revealed that CVE-2025-0282, which was weaponized in the wild as a zero-day beginning mid-December 2024, has been leveraged to deliver malware families like...

The French cybersecurity agency on Tuesday revealed that a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in the country were impacted by a malicious campaign undertaken by a Chinese hacking group by weaponizing several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign, detected at the beginning of September 2024, has been attributed to a distinct intrusion set codenamed Houken , which is assessed to share some level overlaps with a threat cluster tracked by Google Mandiant under the moniker UNC5174 (aka Uteus or Uetus). "While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers," the French National Agency for the Security of Information Systems (ANSSI) said . "Houken's attack infrastructure is made up of diverse elements -- including commercial VPNs and d...

Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution. The vulnerabilities in question are listed below - CVE-2025-4427 (CVSS score: 5.3) - An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials CVE-2025-4428 (CVSS score: 7.2) - A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. The flaws impact the following versions of the product - 11.12.0.4 and prior (Fixed in 11.12.0.5) 12.3.0.1 and prior (Fixed in 12.3.0.2)  12.4.0.1 and prior (Fixed in 12.4.0.2) 12.5.0.0 and prior (Fixed in 12.5.0.1) Ivanti, which credited CERT-EU for reportin...

Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS). The malware, along with a web shell, were "installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024," JPCERT/CC researcher Yuma Masubuchi said in a report published Thursday. CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. However, the shortcoming has been exploited as a zero-day by a China-nexus cyber espionage group dubbed UNC5337 to deliver the SPAWN ecosystem of malware, as well as other tools like DRYHOOK and PHASEJAM. The deployment of the latter two malware strains has not been attributed to any known threat actor. Since then, both JPCERT/CC and the U.S. Cybersecurity and Infrastr...

The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems. "Threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries (e.g., script kiddies), thereby making attribution even more difficult," Sysdig researcher Alessandra Rizzo said in a report shared with The Hacker News. "This seems to hold especially true for this particular threat actor , who has been under the radar for the last year since being affiliated with the Chinese government." UNC5174, also referred to as Uteus (or Uetus), was previously documented by Google-owned Mandiant as exploiting security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver a C-base...

Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure product that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution," Ivanti said in an alert released Thursday. The flaw impacts the following products and versions - Ivanti Connect Secure (versions 22.7R2.5 and prior) - Fixed in version 22.7R2.6 (Patch released on February 11, 2025) Pulse Connect Secure (versions 9.1R18.9 and prior) - Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances. "RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior," the agency said . "The file contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler." The security issue associated with the deployment of the malware is CVE-2025-0282 , a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution. It impacts the following versions - Ivanti Connect Secure before version 22.7R2.5 Ivanti Policy Secure before version 22.7R1.2, and  Ivanti Neurons for ZTA gateways before version 22.7R2.3 According...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-57968 - An unrestricted file upload vulnerability in Advantive VeraCore that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx CVE-2025-25181 - An SQL injection vulnerability in Advantive VeraCore that allows a remote attacker to execute arbitrary SQL commands CVE-2024-13159 - An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information CVE-2024-13160 - An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information CVE-2024-13161 - An absolute path traversal vulnerability...

Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could be exploited to achieve arbitrary code execution. The list of vulnerabilities is below - CVE-2024-38657 (CVSS score: 9.1) - External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files CVE-2025-22467 (CVSS score: 9.9) - A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution CVE-2024-10644 (CVSS score: 9.1) - Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution CVE-2024-47908 (CVSS score: 9.1) - Operating sy...

Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker to gain administrator privileges on susceptible instances. The vulnerability, tracked as CVE-2025-20156, carries a CVSS score of 9.9 out 10.0. It has been described as a privilege escalation flaw in the REST API of Cisco Meeting Management. "This vulnerability exists because proper authorization is not enforced upon REST API users," the company said in a Wednesday advisory. "An attacker could exploit this vulnerability by sending API requests to a specific endpoint." "A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management." The networking equipment major credited Ben Leonard-Lagarde of Modux for reporting the security shortcoming. It affects the following versions of the product irrespective of device configuratio...

Ivanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure. All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern instances of absolute path traversal that allow a remote unauthenticated attacker to leak sensitive information. The flaws are listed below - CVE-2024-10811 CVE-2024-13161  CVE-2024-13160, and CVE-2024-13159 The shortcomings affect EPM versions 2024 November security update and prior, and 2022 SU6 November security update and prior. They have been addressed in EPM 2024 January-2025 Security Update and EPM 2022 SU6 January-2025 Security Update. Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting all four vulnerabilities in question. Also patched by Ivanti are multiple high-severity bugs in Avalanche vers...

Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024. The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3. "Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution," Ivanti said in an advisory . "Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix." Also patched by the company is another high-severity flaw (CVE-2025-0283, CVSS score: 7.0) that allows a locally authenticated attacker to escalate their privileges. The vulnerabilities, addressed in version 22.7R2.5, imp...

Ivanti has released security updates to address multiple critical flaws in its Cloud Services Application (CSA) and Connect Secure products that could lead to privilege escalation and code execution. The list of vulnerabilities is as follows - CVE-2024-11639 (CVSS score: 10.0) - An authentication bypass vulnerability in the admin web console of Ivanti CSA before 5.0.3 that allows a remote unauthenticated attacker to gain administrative access CVE-2024-11772 (CVSS score: 9.1) - A command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3 that allows a remote authenticated attacker with admin privileges to achieve remote code execution CVE-2024-11773 (CVSS score: 9.1) - An SQL injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3 that allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements CVE-2024-11633 (CVSS score: 9.1) - An argument injection vulnerability in Ivanti Con...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Ivanti Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2024-29824 , carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. "An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code," the software service provider said in an advisory released on May 21, 2024. Horizon3.ai, which released a proof-of-concept (PoC) exploit for the flaw in June, said the issue is rooted in a function called RecordGoodApp() within a DLL named PatchBiz.dll. Specifically, it concerns how the function handles an SQL query statement, thereby allowing an attacker to gain remote code execution via xp_cmdshe...

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild. The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances. "An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution," Ivanti noted in an advisory released earlier this week. "The attacker must have admin level privileges to exploit this vulnerability." The flaw impacts Ivanti CSA 4.6, which has currently reached end-of-life status, requiring that customers upgrade to a supported version going forward. That said, it has been addressed in CSA 4.6 Patch 519. "With the end-of-life status this is the last fix that Ivanti will backport for this version," the Utah-based IT software company added. "Customers mus...

The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the threat actor creating rogue virtual machines (VMs) within its VMware environment. "The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access," MITRE researchers Lex Crumpton and Charles Clancy  said . "They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server's Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure." The motive behind such a move is to sidestep detection by obscuring their malicious activities from centralized management interfaces like vCenter and maintain persistent access while reducing the risk of being discovered. Details of the attack  emerged  last month when MITRE rev...

Ivanti on Tuesday rolled out fixes to address multiple critical security flaws in Endpoint Manager (EPM) that could be exploited to achieve remote code execution under certain circumstances. Six of the 10 vulnerabilities – from  CVE-2024-29822 through CVE-2024-29827  (CVSS scores: 9.6) – relate to SQL injection flaws that allow an unauthenticated attacker within the same network to execute arbitrary code. The remaining four bugs -- CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, and CVE-2024-29846 (CVSS scores: 8.4) -- also fall under the same category with the only change being that they require the attacker to be authenticated. The shortcomings impact the Core server of Ivanti EPM versions 2022 SU5 and prior. The company has also  addressed  a high-severity security flaw in Avalanche version 6.4.3.602 (CVE-2024-29848, CVSS score: 7.2) that could permit an attacker to achieve remote code execution by uploading a specially crafted file. In addition, patches ha...