The attackers exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate networks across multiple industries and countries.
The campaign highlights the growing threat posed by state-sponsored cyber actors leveraging advanced tools and techniques to compromise sensitive systems worldwide.
The scope of the attack is alarming, with victims spanning nearly twenty industries across twelve countries.
The affected nations include Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States.
Targeted industries range from critical infrastructure sectors like telecommunications and financial institutions to sensitive entities such as government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs).
Other impacted sectors include automotive, chemical, construction, electronics, education, information security, law firms, manufacturing, media, gambling, materials research institutes, and conglomerates.
This broad victim profile underscores the indiscriminate nature of the campaign and its potential to disrupt essential services globally.
TeamT5’s analysis revealed that the attackers likely exploited two critical vulnerabilities in Ivanti Connect Secure VPN appliances: CVE-2025-0282 and CVE-2025-22457.
Both vulnerabilities are stack buffer overflow flaws with a Common Vulnerability Scoring System (CVSS) score of 9.0, indicating their high severity.
Successful exploitation enables remote code execution (RCE), allowing attackers to infiltrate internal networks and implant malware.
The attackers employed a specialized malware toolkit known as SPAWNCHIMERA.
This tool is specifically designed for Ivanti Connect Secure VPN appliances and incorporates functionalities from the notorious SPAWN malware family. Components of SPAWNCHIMERA include:
These tools enable attackers to maintain persistent access while evading detection through multi-layered command-and-control (C2) infrastructure and log-wiping capabilities.
TeamT5 has observed increased exploitation attempts against Ivanti VPN appliances since April 2025. While many of these attempts failed, some devices became paralyzed or unstable due to the attacks.
The group warns that other threat actors may have obtained information about these vulnerabilities and could launch similar campaigns targeting Ivanti VPN appliances.
The versatile tactics, techniques, and procedures (TTPs) utilized by the attackers make detection particularly challenging without advanced technical support.
Their ability to evade monitoring mechanisms and erase traces of their activity further complicates incident response efforts.
TeamT5 strongly advises organizations using Ivanti Connect Secure VPN appliances to conduct thorough incident investigations to assess potential compromise.
Immediate actions include:
This incident serves as a stark reminder of the critical importance of proactive cybersecurity measures in mitigating risks posed by increasingly sophisticated threat actors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Chinese Hackers Exploiting Ivanti VPN Flaws to Breach Global Networks appeared first on Cyber Security News.
May 17, 2026 As the last day of school in Sioux Falls approaches this week,…
Without wanting to make too broad a generalization, it’s safe to say that Saturday Evening Post…
Microsoft has officially acknowledged a critical installation failure affecting its May 2026 Patch Tuesday cumulative…
A critical Windows privilege escalation zero-day vulnerability dubbed “MiniPlasma” has emerged with a public proof-of-concept…
INDIANAPOLIS, IND. (WOWO) Indiana Conservation Officers are offering a $5,500 reward as they investigate the…
NAPPANEE, IND. (WOWO) A NorthWood High School student is speaking out about what she describes…
This website uses cookies.