Dive Brief:

• The Cybersecurity and Infrastructure Security Agency on Friday issued an alert for a new malware variant, dubbed Resurge, that is exploiting CVE-2025-0282, a critical stack buffer overflow vulnerability in Ivanti Connect Secure appliances. The variant shares similarities to the Spawn malware family, which has been used by Chinese nation-state threat actors.
• CVE-2025-0282 was initially disclosed as a zero-day vulnerability on Jan. 8. At the time, Mandiant researchers said the flaw was exploited in the wild by a China-nexus espionage group they track as UNC5337.
• Vulnerabilities in Ivanti products have become popular targets for a variety of threat actors, with several examples this year. Earlier this month, three critical vulnerabilities in Ivanti Endpoint Manager came under attack.

Dive Insight:

According to CISA, Resurge is similar to SpawnChimera, a variant of the Spawn malware family that withstands system reboots. Mandiant researchers previously observed UNC5337 deploying Spawn malware variants against other vulnerabilities in Ivanti Connect Secure appliances.

CISA highlighted crucial differences between Resurge and SpawnChimera, including the former's ability to manipulate integrity checks. Ivanti typically recommends organizations use its Integrity Checker Tool (ICT) to identify exploitation of vulnerabilities, including CVE-2025-0282.

However, CISA has previously flagged issues with Ivanti's ICT. Last year, the agency warned that an older version of the tool was insufficient to detect exploitation of three vulnerabilities: CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. CISA later disclosed that its network had been breached through two of the vulnerabilities.

With Resurge malware, threat actors can create web shells, harvest credentials, create new accounts, initiate password resets and elevate permissions, according to CISA. Additionally, attackers can copy the web shell to the boot disk of an Ivanti device and manipulate the running coreboot image.

In CISA's malware analysis, the agency noted that it obtained Resurge files from a critical infrastructure organization's Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access. In addition to Resurge, CISA analysts discovered another Spawn malware variant known as SpawnSloth, which tampers with Ivanti device logs.

It's unclear how widespread the exploitation activity is, or what types of organizations and industries are being targeted. In late January, the Shadowserver Foundation found 379 organizations had been infected with backdoors that were likely deployed through exploitation of CVE-2025-0282.

Given the malware's capability to erase evidence of exploitation, CISA recommended organizations take critical steps to ensure their devices and networks are free from malicious activity. "For the highest level of confidence, conduct a factory reset," the agency said. "For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device."

Cybersecurity Dive contacted Ivanti for comment on CISA's alert. "We are proponents of responsible information sharing with defenders, as it is vital to build a healthier, more resilient security ecosystem. Ivanti encourages customers to follow the patching instructions released on January 8th immediately if they have not already, including performing a Factory Reset," a spokesperson said. 

Editor’s Note: This story has been updated with a response from Ivanti.