Summary: Google Cloud’s Mandiant has linked the exploitation of a newly patched Ivanti VPN zero-day vulnerability to Chinese cyberspies, revealing that the attacks involved multiple malware families. Ivanti has patched the vulnerabilities, but concerns remain about further exploitation by other threat actors.

Threat Actor: Chinese cyberspies | UNC5337
Victim: Ivanti customers | Ivanti

Key Point :

• Mandiant identified exploitation of CVE-2025-0282, a critical zero-day vulnerability in Ivanti’s VPN appliances.
• Attackers deployed various malware families, including Spawn, DryHook, and PhaseJam, to compromise systems and exfiltrate data.
• CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, urging federal agencies to address it promptly.
• Ivanti has released patches for the affected products, but additional vulnerabilities remain unpatched until January 21.