- CISA warns about the new malware aimed at vulnerable products Ivanti
- Multiple products are being directed, vulnerable to a defect of 2024
- Malware can create web shells, harvest credentials and more
Multiple Ivanti products are being attacked by a piece of malware called Resurge, according to a new security notice published by the United States Cybersecurity and Infrastructure Security Agency (CISA), which details both the malware and the vulnerability that is exploited to deploy it.
Resurge is a spawnchimera variant, a piece of malware aimed at Ivanti Connect’s safe appliances, which allows unauthorized access and persistent control over vulnerable final points.
While resurgence can also survive reinstates, malware can also create web shells, manipulate integrity checks, modify files and use web shells to harvest credentials, create accounts, restore passwords and increase permits.
Remote code execution risks
In addition, Resurge can copy the web shell to the Ivanti start and manipulate the COREBOOT image.
To infect resurgence devices, threat actors are abusing CVE-2025-0282, a vulnerability of buffer overflow based on the critical battery in Ivanti Connect Secure, Policy Secure and Neurons for the ZTA bond doors. It allows non -authenticated remote attackers to execute arbitrary code, and has been exploited in nature since mid -December 2024.
CISA added the threat to its Kev catalog in early January 2025, noting that vulnerable software includes Ivanti Connect Secure (before version 22.7r2.5), the Ivanti Secure policy (before version 22.7R1.2) and the Ivanti neurons for the doors of ZTA doors (before version 22.7r2.3).
There are several things that companies could do to mitigate the risk, says CISA.
“For the highest level of trust, make a factory restart,” says the warning. “For cloud and virtual systems, make factory restoration using a known external external image of the device.”
In addition, users must restore credentials of privileged and non -privileged accounts, restore passwords for all domain users and all local accounts, review access policies to temporarily revoke privileges/access for affected devices, restore credentials or relevant access keys and monitor related accounts, especially administrative accounts.
Through The registration
