According to a recent security advisory released by the US Cybersecurity and Infrastructure Security Agency (CISA), a piece of malware known as RESURGE is targeting multiple Ivanti products.
The advisory describes the malware and the vulnerability that is being used to spread it. Resurge is a type of malware called SPAWNCHIMERA that targets Ivanti Connect Secure appliances. It allows for persistent control over vulnerable endpoints and unauthorised access.
The malware can also make web shells, alter files, change integrity checks, and use the web shells to gather credentials, create accounts, reset passwords, and escalate permissions, even though RESURGE can also withstand reboots.
Additionally, RESURGE has the ability to modify the running coreboot image and copy the web shell to the Ivanti boot disk. Threat actors are exploiting CVE-2025-0282, a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways, to infect the devices with RESURGE.
It has been used in the wild since mid-December 2024 and enables remote, unauthenticated attackers to run arbitrary code. In early January 2025, CISA added the threat to its KEV catalogue, stating that Ivanti Connect Secure (prior to version 22.7R2.5), Ivanti Policy Secure (prior to version 22.7R1.2), and Ivanti Neurons for ZTA gateways (prior to version 22.7R2.3) are among the vulnerable software.
According to CISA, companies could take a variety of actions to reduce the risk.
“For the highest level of confidence, conduct a factory reset. For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device,” the advisory says, as reported by TechRadar.
Additionally, users should reset the passwords for all local accounts and domain users, reset the credentials of privileged and non-privileged accounts, review access policies to temporarily revoke access and privileges for impacted devices, reset the relevant account credentials or access keys, and keep an eye on related accounts, particularly administrative accounts.
“We are proponents of responsible information sharing with defenders, as it is vital to build a healthier, more resilient security ecosystem. The patching instructions that Ivanti released on January 8, which include performing a Factory Reset, effectively remediate the vulnerability. We encourage all customers to follow these instructions immediately if they have not done so already, and to remain on the latest version (currently 22.7R2.6), which includes significant security enhancements,” an Ivanti spokesperson told TechRadar in an emailed statement.