A newly identified malware, known as RESURGE, is actively exploiting a significant zero-day vulnerability in Ivanti Connect Secure devices. This discovery has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a critical alert. The malware is designed to persist through system reboots, steal sensitive credentials, and maintain its presence well after the initial breach.
Details of the Vulnerability and Attack Method
The primary vulnerability being exploited is CVE-2025-0282, a stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This type of vulnerability occurs when an attacker sends excessive data to a memory buffer, causing memory corruption and allowing the execution of arbitrary code on the target system. The vulnerability was officially recognized by CISA and added to its Known Exploited Vulnerabilities Catalog on January 8, 2025, following reports of its active exploitation in December 2024.
Ivanti Connect Secure and related products are widely used as secure remote access gateways by enterprises and government agencies, making them attractive targets for attackers.
Comprehensive Analysis of the Malware
CISA’s analysis revealed RESURGE after examining compromised Ivanti Connect Secure devices within a critical infrastructure organization. Alongside RESURGE, two other malicious tools were identified: a log-tampering variant of SPAWNSLOTH and a custom binary named “dsmain”. These tools work in tandem to facilitate unauthorized access, erase intrusion evidence, and modify the system’s core to ensure persistent access.
RESURGE is an evolution of the SPAWNCHIMERA malware, extending its capabilities by introducing additional commands. CISA described RESURGE as a multi-functional tool, acting as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler.
Impact and Mitigation Strategies
The potential impact of RESURGE is extensive due to Ivanti Connect Secure’s role as a VPN gateway for numerous organizations. Successful exploitation can lead to unauthorized access to enterprise networks, allowing attackers to harvest credentials, create unauthorized accounts, and escalate privileges undetected.
RESURGE maintains its foothold by embedding itself into critical system files, such as “ld.so.preload”, ensuring it loads before most processes on the device. This strategic positioning grants it control over the system from startup, evading standard detection tools. Additionally, RESURGE establishes a web shell for remote command execution and manipulates coreboot images, embedding malicious code that survives software reinstalls.
CISA recommends organizations conduct a factory reset as the most reliable method to eliminate the malware. For cloud and virtual systems, a verified clean image should be used. Resetting all account credentials, particularly those managing Kerberos authentication, is crucial. Access for affected devices should be temporarily revoked, access policies reviewed, and administrative accounts closely monitored for unusual activity. Any suspicious incidents should be reported to CISA’s 24/7 Operations Center via [email protected] or (888) 282-0870.
Stay updated with the latest security news by following us on Google News, LinkedIn, and X. Set CSN as a preferred source for real-time updates.
