ivanti vulnerabilities exploited maliciously

While organizations were busy implementing their 2025 security plans, a new malware variant named RESURGE emerged to wreck their peace of mind. Discovered by CISA in March 2025, this nasty piece of work targets Ivanti Connect Secure appliances through the CVE-2025-0282 vulnerability. Great timing, hackers. Really.

RESURGE isn’t just your run-of-the-mill malware. It’s the Swiss Army knife of digital threats – functioning as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler all wrapped into one devastating package. It builds on capabilities from its predecessor, SPAWNCHIMERA, but with fancy new tricks. Because apparently, the old ways of breaking into systems weren’t efficient enough. The initial setup costs for comprehensive protection against such sophisticated threats can range from $100,000 to $700,000 for organizations.

RESURGE: where hackers packed six malware functionalities into one nightmare because they’re overachievers like that.

The vulnerability itself is a stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways versions before 22.7R2.5. Translation: unauthenticated remote code execution. No password needed. Just walk right in and make yourself at home. Darktrace’s Threat Research team identified suspicious activity linked to this vulnerability as early as December 2024, 11 days before Ivanti’s public disclosure.

What makes RESURGE particularly devious is its persistence. It creates web shells, manipulates integrity checks, and even modifies the running coreboot image. It’s like a digital cockroach – nearly impossible to exterminate. The malware also employs BusyBox tools for downloading and executing payloads, making it extremely versatile in attack scenarios.

The malware goes as far as tampering with logs through a SPAWNSLOTH variant called liblogblock.so. Covering tracks is Hacking 101, folks.

CISA has linked this activity to Chinese threat actors who’ve been exploiting the vulnerability since at least December 2024. They’re not amateurs. They chain multiple vulnerabilities, move laterally across networks, and use living-off-the-land techniques to avoid detection.

Ivanti responded by releasing patches and an Integrity Checking Tool, while CISA recommends factory resets using clean images and credential resets. They’re also urging victims to report incidents to their 24/7 Operations Center.

The takeaway? Update your Ivanti products. Now. Not tomorrow, not next week. Because while you’re scheduling that maintenance window, hackers are already scheduling their next data exfiltration.

You May Also Like

Unseen Menace: Squidoor Malware Threatens Global Organizations From the Shadows

Chinese-linked Squidoor malware silently infiltrates government systems while security experts chase shadows. Its advanced evasion tactics render 61% of modern defenses powerless. Your organization could be next.

Malware ‘Desert Dexter’ Hits 900 Victims via Facebook Ads and Telegram Links

Facebook ads serve as a Trojan horse for “Desert Dexter” malware that’s infected 900+ Middle Eastern users. Hackers exploit geopolitical tensions while targeting cryptocurrency wallets. Your business could be next.

Newly Uncovered Betruger Backdoor Reveals RansomHub’s Shocking Tactics for Cyber Persistence

Cybersecurity experts expose RansomHub’s terrifying Betruger Backdoor that lurks in your system while stealing credentials, capturing screenshots, and escalating privileges. The attack could happen right under your nose.

Automated Brute Force Attacks: How Black Basta Targets Edge Network Devices

Why ordinary passwords consistently fail against Black Basta’s BRUTED framework that cracks corporate firewalls like paper walls. Your network might be next.