Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

CISA Warns of RESURGE Malware Exploiting Ivanti Flaw: A Growing Concern for Cybersecurity



CISA has issued a warning about the RESURGE malware, which is being used to exploit a vulnerability in Ivanti Connect Secure appliances. This malicious code can lead to unauthenticated remote code execution and privilege escalation if left unpatched. The affected appliances include Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Ivanti has released an update that addresses the vulnerability, but it is recommended that users take immediate action to patch their systems.

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about the RESURGE malware exploiting a vulnerability in Ivanti Connect Secure appliances.
  • The malware, which supports SPAWNCHIMERA capabilities, can create web shells, bypass integrity checks, and modify files.
  • RESURGE enables credential harvesting, account creation, and privilege escalation, copying web shells to Ivanti's boot disk and manipulating the coreboot image for persistence.
  • A vulnerability (CVE-2025-0282) in Ivanti Connect Secure appliances can be exploited remotely without authentication.
  • Ivanti has released an update addressing two vulnerabilities: one critical and one high-severity.
  • CISA is aware of a limited number of customers whose Ivanti Connect Secure appliances were exploited using the CVE-2025-0282 vulnerability.
  • RESURGE also includes another malicious component, libdsupgrade.so (SPAWNSLOTH variant), used for log tampering and modifying logs stealthily.



    • CISA warns of RESURGE malware exploiting Ivanti flaw

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the RESURGE malware, which is being used to exploit a vulnerability in Ivanti Connect Secure appliances. This malicious code was first identified by CISA in its Malware Analysis Report (MAR), which provides detailed information on various types of malware that pose a threat to computer systems.

    According to CISA, the RESURGE malware supports the capabilities of the SPAWNCHIMERA malware but implements distinctive commands that alter its behavior. This allows it to create web shells, bypass integrity checks, and modify files. Furthermore, the malware enables credential harvesting, account creation, and privilege escalation, copying web shells to Ivanti’s boot disk and manipulating the coreboot image for persistence.

    The vulnerability that RESURGE is exploiting is CVE-2025-0282, which has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. This means that it has been confirmed by CISA that this vulnerability can be exploited remotely without authentication. The affected appliances include Ivanti Connect Secure, Policy Secure, and ZTA Gateways.

    Ivanti has released an update that addresses one critical and one high-severity vulnerability in these appliances. According to the advisory issued by CISA, successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution, while CVE-2025-0283 allows a local authenticated attacker to escalate privileges.

    CISA has stated that it is aware of a limited number of customers whose Ivanti Connect Secure appliances were exploited using the CVE-2025-0282 vulnerability at the time of disclosure. However, it is not aware of any exploitation in Ivanti Policy Secure or ZTA gateways.

    The RESURGE malware also includes another malicious component, identified as libdsupgrade.so, aka SPAWNSLOTH variant used for log tampering. This malware detaches shared memory containing the g_do_syslog_servers_exist IPC key and hooks the _ZN5DSLog4File3addEPKci function using funchook, an open-source tool for intercepting function calls.

    This allows the malware to modify logs stealthily by removing identifying messages, making detection harder. Additionally, RESURGE enables credential harvesting, account creation, and privilege escalation, copying web shells to Ivanti’s boot disk and manipulating the coreboot image for persistence.

    CISA has provided details about a 32-bit Linux ELF binary liblogblock.so that is another variant of SPAWNSLOTH used for log tampering. This malware tampers with Ivanti device logs, making it harder to detect.

    Furthermore, RESURGE includes a custom embedded binary that contains an open-source shell script and a subset of applets from the open-source tool BusyBox. The open-source shell script allows threat actors to extract an uncompressed kernel image (vmlinux) from a compromised kernel image, while BusyBox enables them to perform various functions such as download and execute payloads on compromised devices.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/CISA-Warns-of-RESURGE-Malware-Exploiting-Ivanti-Flaw-A-Growing-Concern-for-Cybersecurity-ehn.shtml

  • https://securityaffairs.com/176040/breaking-news/cisa-warns-of-resurge-malware-exploiting-ivanti-flaw.html


    • Published: Sun Mar 30 20:37:21 2025 by llama3.2 3B Q4_K_M


     |   |   |  Sub Stack  |  Blue Sky


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us