![Apple Officially Announces Return of 'Ted Lasso' for Fourth Season [Video]](https://www.iclarified.com/images/news/96710/96710/96710-640.jpg)
![Apple Plans Live Translation Feature for AirPods in iOS 19 [Report]](https://www.iclarified.com/images/news/96712/96712/96712-640.jpg)
![Apple Shares Official Trailer for 'F1' Starring Brad Pitt [Video]](https://www.iclarified.com/images/news/96714/96714/96714-640.jpg)
![[Update: Fix] Chromecast (2nd gen) and Audio can’t Cast in ‘Untrusted’ outage](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2019/08/chromecast_audio_1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
_Tanapong_Sungkaew_Alamy.jpg?#)
_JIRAROJ_PRADITCHAROENKUL_Alamy.jpg?#)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
Hackers Exploiting Ivanti Connect Secure RCE Vulnerability to Install SPAWNCHIMERA Malware
A critical vulnerability in Ivanti Connect Secure (CVE-2025-0282) is being actively exploited by multiple threat actors to deploy an advanced malware variant known as SPAWNCHIMERA. This vulnerability, disclosed in January 2025, is a stack-based buffer overflow that allows remote unauthenticated attackers to execute arbitrary code on vulnerable devices. With a CVSS score of 9.0, it […] The post Hackers Exploiting Ivanti Connect Secure RCE Vulnerability to Install SPAWNCHIMERA Malware appeared first on Cyber Security News.
A critical vulnerability in Ivanti Connect Secure (CVE-2025-0282) is being actively exploited by multiple threat actors to deploy an advanced malware variant known as SPAWNCHIMERA.
This vulnerability, disclosed in January 2025, is a stack-based buffer overflow that allows remote unauthenticated attackers to execute arbitrary code on vulnerable devices.
With a CVSS score of 9.0, it poses a significant risk to organizations using Ivanti’s remote access solutions.
Exploitation of the Vulnerability
The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) reported that exploitation of CVE-2025-0282 began in late December 2024, even before the vulnerability was publicly disclosed.
Attackers leveraged this flaw to infiltrate networks and install SPAWNCHIMERA malware, an evolution of the SPAWN malware family previously identified by Google’s Mandiant team.
SPAWNCHIMERA integrates features from earlier malware variants—SPAWNANT, SPAWNMOLE, and SPAWNSNAIL—making it a more sophisticated and evasive threat.
Key Technical Enhancements of the Malware
Inter-process Communication Changes
Previous versions used TCP port 8300 on 127.0.0.1 for communication between injected processes. SPAWNCHIMERA replaces this with UNIX domain sockets located at /home/runtime/tmp/.logsrv.
This change reduces visibility in network monitoring tools like netstat, making detection more challenging.
Dynamic Vulnerability Fix
Uniquely, SPAWNCHIMERA includes a feature to patch the exploited CVE-2025-0282 vulnerability dynamically.
By hooking the strncpy function and limiting its copy size to 256 bytes, the malware prevents subsequent exploitation attempts by other attackers or proof-of-concept (PoC) scans.
Enhanced Decoding Mechanisms
The private SSH key used for the malware’s server functionality is now stored in an encoded format within the binary and decoded at runtime using an XOR-based function.
This eliminates file artifacts like /tmp/.dskey, reducing forensic evidence left behind.
Removal of Debug Messages
Debugging features have been stripped from both SPAWNCHIMERA and its associated payloads (e.g., SPAWNSLOTH), complicating reverse engineering and analysis efforts.
The addition of a self-patching mechanism is particularly alarming as it demonstrates how attackers are evolving their tactics to secure their foothold while denying access to competing threat actors or defenders attempting remediation.
Furthermore, the use of encoded keys and UNIX domain sockets highlights a shift toward stealthier post-exploitation techniques.
Mitigation Measures
Ivanti has released patches addressing CVE-2025-0282 and recommends immediate application to all affected appliances, including Ivanti Connect Secure versions prior to 22.7R2.5.
The emergence of SPAWNCHIMERA underscores the growing sophistication of malware targeting enterprise-grade VPN solutions.
Organizations must act swiftly to patch vulnerabilities and enhance monitoring capabilities to mitigate risks associated with this advanced threat.
IoCs
Malware hashes
SPAWNCHIMERA 94b1087af3120ae22cea734d9eea88ede4ad5abe4bdeab2cc890e893c09be955
SPAWNSLOTH 9bdf41a178e09f65bf1981c86324cd40cb27054bf34228efdcfee880f8014baf
Found Malware File Paths
SPAWNCHIMERA /lib/libdsupgrade.so
SPAWNSLOTH /tmp/.liblogblock.so
The post Hackers Exploiting Ivanti Connect Secure RCE Vulnerability to Install SPAWNCHIMERA Malware appeared first on Cyber Security News.
