Source URL: https://www.theregister.com/2025/04/01/cisa_ivanti_warning/
Source: The Register
Title: CISA spots spawn of Spawn malware targeting Ivanti flaw
Feedly Summary: Resurge an apt name for malware targeting hardware maker that has security bug after security bug
Owners of Ivanti’s Connect Secure, Policy Secure, and ZTA Gateway products have a new strain of malware to fend off, according to the US Cybersecurity and Infrastructure Security Agency, aka CISA.…
AI Summary and Description: Yes
Summary: The text highlights a new malware strain named Resurge, targeting Ivanti’s security products, which exploits a critical vulnerability (CVE-2025-0282) that allows unauthenticated remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) advises urgent action to patch and reset affected systems to ensure network security.
Detailed Description:
The provided text discusses the emergence of a new malware called Resurge, affecting Ivanti’s security products, including Connect Secure, Policy Secure, and ZTA Gateway. This development is critical for professionals in security and compliance, particularly those focused on vulnerability management and incident response.
Key Points:
– **Malware Introduction**: A new strain of malware called Resurge has been identified, targeting Ivanti products, as reported by CISA.
– **Exploited Vulnerability**: Resurge exploits CVE-2025-0282, a severe stack-overflow vulnerability that has been featured in other malware, such as the Spawn family.
– **Attack Implications**: The vulnerability allows for unauthenticated remote code execution, enabling attackers to gain control over devices and systems.
– **Affected Software Versions**:
– Ivanti Connect Secure older than version 22.7R2.5
– Ivanti Policy Secure older than version 22.7R1.2
– Ivanti Neurons for ZTA gateways older than version 22.7R2.3
– **Malware Behavior**: Once infected, Resurge can create web shells for remote control, bypass system integrity checks, modify files, harvest credentials, and manipulate user permissions.
– **Action Steps Recommended by CISA**:
– Conduct a factory reset on affected devices and install the latest firmware version.
– Perform comprehensive password resets for all accounts, focusing on privileged and non-privileged users, including Microsoft Active Directory accounts.
– **Advice from Ivanti**: Ivanti emphasizes the importance of an immediate firmware upgrade and factory reset to remediate vulnerabilities, highlighting the need for a proactive security stance.
– **Historical Context**: This is the second consecutive year Ivanti has faced critical zero-day vulnerabilities, underscoring ongoing security challenges in the current landscape.
Overall, this incident underscores the critical importance of prompt patching and comprehensive management of security vulnerabilities in cloud and infrastructure environments. Security and compliance professionals must remain vigilant and proactive in updating and protecting their systems against emerging threats.