Chinese Hackers Exploit Ivanti VPN Vulnerabilities to Infiltrate Organizations

A China-linked advanced persistent threat (APT) group has exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate organizations across 12 countries and 20 industries, cybersecurity firm TeamT5 revealed in a report shared with Cyber Security News.

The campaign, active since late March 2025, leverages the CVE-2025-0282 and CVE-2025-22457 vulnerabilities both stack-based buffer overflow flaws with maximum CVSS scores of 9.0—to deploy the SPAWNCHIMERA malware suite and establish persistent network access.

The attacks impacted entities in Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan, the UAE, the UK, and the U.S. Targeted industries span high-value sectors such as government agencies, financial institutions, telecommunications, law firms, and intergovernmental organizations, TeamT5 said.

The threat actors maintained covert access to victim networks for weeks, exfiltrating sensitive data while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping tools.

Technical Analysis of the Exploitation Chain

The APT group, assessed by Mandiant as UNC5221 with ties to Chinese state interests, weaponized the Ivanti vulnerabilities to achieve unauthenticated remote code execution (RCE).

Once inside, attackers deployed SPAWNCHIMERA, a modular malware ecosystem designed explicitly for Ivanti appliances. Key components include:

• SPAWNANT: A stealthy installer that bypasses integrity checks.
• SPAWNMOLE: A SOCKS5 proxy for tunneling traffic.
• SPAWNSNAIL: An SSH backdoor for persistent access.
• SPAWNSLOTH: A log-wiping tool to erase forensic evidence.

The malware’s dynamic patching capability allows it to modify vulnerable Ivanti components in memory, ensuring continued exploitation even after patches are applied.

Security analysts at Rapid7 confirmed the vulnerabilities’ exploitability, noting that CVE-2025-22457 initially appeared as a low-risk denial-of-service bug but was later weaponized for RCE.

Since April 2025, mass exploitation attempts have rendered many Ivanti VPN appliances unstable, with failed attacks causing widespread service disruptions.

Despite Ivanti’s patches released in February, thousands of devices remain unpatched due to sluggish enterprise remediation efforts.

Mandiant warns that the SPAWNCHIMERA toolkit’s sophistication, including UNIX socket communication and obfuscated payloads—reflects Beijing’s growing focus on cyber espionage against geopolitical rivals.

TeamT5 urges affected organizations to:

1. Immediately apply Ivanti’s version 22.7R2.5 patches.
2. Conduct full network forensic analyses to identify dormant malware.
3. Reset VPN appliances and revoke credentials exposed during breaches.

The campaign underscores the persistent risks of unpatched network edge devices, particularly VPN gateways. As Chinese APTs increasingly target legacy systems, CISA has mandated federal agencies to patch Ivanti vulnerabilities by January 15, 2025—a deadline many missed, exacerbating the crisis.

With over 1,700 devices compromised globally and exploitation attempts surging, analysts warn that the operational fallout could persist for years.

“The attackers mapped critical infrastructure, suggesting preparations for future disruptive operations.” As geopolitical tensions escalate, the incident highlights the urgent need for proactive vulnerability management and cross-sector threat intelligence sharing.

Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial

The post Chinese Hackers Exploit Ivanti VPN Vulnerabilities to Infiltrate Organizations appeared first on Cyber Security News.