Threat Brief: CVE-2025-0282 and CVE-2025-0283

Description

Two critical vulnerabilities in Ivanti Connect Secure, Policy Secure and ZTA gateway products have been discovered. CVE-2025-0282 allows remote code execution, while CVE-2025-0283 enables privilege escalation. Attacks exploiting CVE-2025-0282 have been observed in the wild, involving initial access, credential harvesting, lateral movement, defense evasion, and persistence. Attackers used custom tools like SPAWNMOLE, SPAWNSNAIL, and SPAWNSLOTH. The activity cluster CL-UNK-0979 has been identified, potentially linked to UNC5337. Immediate patching and monitoring are strongly recommended. Various Palo Alto Networks products offer protection against these threats.