Chinese Cyberspies Unleash Chaos with New Ivanti VPN Zero-Day Exploit
Mandiant has linked the exploitation of a newly patched Ivanti VPN zero-day vulnerability to Chinese cyberspies. The attackers deployed malware tracked as Spawn and introduced new threats, DryHook and PhaseJam. Mandiant warns that CVE-2025-0282 could soon become a buffet for hackers if proof-of-concept exploits go public.

Hot Take:
In a plot that sounds like it was lifted straight from a cyber-thriller novel, Chinese cyberspies are reportedly exploiting vulnerabilities in Ivanti’s VPN appliances. But don’t worry, Ivanti and Mandiant are on the case, armed with an Integrity Checker Tool and a hefty dose of medium confidence!
Key Points:
- Ivanti has patched two critical vulnerabilities in its VPN appliances, with the exploitation linked to Chinese threat actors.
- The critical CVE-2025-0282 vulnerability allows unauthenticated remote attackers to execute arbitrary code.
- Mandiant has connected the exploitation to a Chinese espionage group, UNC5337, but can’t pinpoint a specific actor.
- Previously unknown malware families, DryHook and PhaseJam, have been identified in the attacks.
- CISA added the Ivanti zero-day to its Known Exploited Vulnerabilities catalog, pushing for a patch by January 15.
Already a member? Log in here