Threat Overview

A recently published threat report by AlienVault, titled “Threat Brief: CVE-2025-0282 and CVE-2025-0283”, highlights critical vulnerabilities in Ivanti Connect Secure, Policy Secure, and ZTA gateway products that are being actively exploited.

Vulnerabilities

The report details two high-severity vulnerabilities:

* CVE-2025-0282: Allows for remote code execution (RCE) on the targeted systems.

* CVE-2025-0283: Enables privilege escalation, granting attackers elevated access.

Attack Activity Observed

Attacks exploiting CVE-2025-0282 have been observed in the wild, involving a series of malicious activities:

* Initial access to target systems.

* Credential harvesting to maintain persistence.

* Lateral movement within compromised networks.

* Defense evasion techniques employed to avoid detection.

Custom Tools Used

Attackers have been observed using custom tools such as SPAWNMOLE, SPAWNSNAIL, and SPAWNSLOTH during these attacks.

Activity Cluster Identification

The activity cluster CL-UNK-0979 has been identified in relation to these incidents, potentially linking them to UNC5337 threat actor group.

Recommendations

Given the critical nature of these vulnerabilities and the observed attacks, the following actions are strongly recommended:

* Immediate Patching: Apply the available patches for Ivanti products to fix CVE-2025-0282 and CVE-2025-0283.

* Network Monitoring: Actively monitor network traffic for unusual activities related to these vulnerabilities.

Protective Measures

Users of Palo Alto Networks products can enable the following protections:

* WildFire: Provides effective sandbox analysis to detect and block malicious files.

* Threat Prevention: Offers URL filtering and other protective measures against known threats.

References

For more detailed information on this threat, please refer to the original reports:

* Palo Alto Unit 42 threat brief: https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/