Exploitation of CVE-2025-0282 | CVSS 9.0 | SPAWN/SPAWNCHIMERA Malware Family
Dominant ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T1071.001 (Web Protocols), T1556 (Modify Authentication Process)
Affected Technology: Ivanti Connect Secure (Pulse Secure) VPN Appliance
Classification: TLP:CLEAR-PAP:CLEAR
1. Executive Summary (Board-Level Strategic Abstract)
The RESURGE implant represents a first-order structural threat to any organization operating Ivanti Connect Secure appliances at its network perimeter. Identified by the Cybersecurity and Infrastructure Security Agency (CISA) following the compromise of a critical infrastructure entity, this implant exploits vulnerability CVE-2025-0282 (CVSS 9.0, stack-based buffer overflow) to achieve unauthenticated initial access, then deploys a suite of persistence, évasion, and remote control capabilities of significant sophistication.
The nature of this threat is fundamentally différent from conventional perimeter compromises. RESURGE adopts a passive Command and Control model: the implant generates no outbound traffic to C2 infrastructure. It remains dormant on the compromised device, awaiting an inbound connection from the operator. This architecture renders détection through traditional outbound traffic monitoring mechanisms (proxy, DNS, NetFlow) structurally ineffective.
The probability of occurrence is assessed as high. CVE-2025-0282 was actively exploited (Known Exploited Vulnerability, KEV) prior to patch availability. CISA’s updated analysis, released February 26, 2026, confirms that RESURGE may remain dormant and undetected on Ivanti Connect Secure devices, constituting an activé persistent threat. The exposure surface is substantial: Ivanti Connect Secure is among the most widely deployed VPN solutions across government, financial, healthcare, and industrial sectors.
The systemic impact is critical. The implant provides full shell access via embedded SSH, the capability to modify firmware integrity mechanisms (coreboot), to neutralize internal détection tools (Integrity Checker Tool, scanner.py), to install web shells, and to manipulate system logs via a SPAWNSLOTH component. These combined capabilities enable persistent, stealthy, and total access to the target organization’s internal infrastructure.
From a regulatory standpoint, a compromise involving RESURGE triggers notification obligations under NIS2 (EU), DORA (European financial sector), and potentially GDPR if personal data has been exfiltrated. The absence of détection due to the implant’s dormant nature may significantly extend the exposure window, aggravating regulatory implications.
Recommended strategic trade-offs include: prioritizing a forensic vérification campaign across the entire Ivanti Connect Secure fleet, including already patched devices; considering complète reconstruction (factory reset followed by clean réinstallation) as the only reliable remédiation; evaluating the opportunity for a medium-term VPN technology replacement; and integrating network indicators of compromise (forged TLS certificate, CRC32 fingerprint) into perimeter détection capabilities.
2. Introduction
This article provides an in-depth analysis of the RESURGE implant, documented by CISA in Malware Analysis Report MAR-25993211-r1.v2, initially published March 28, 2025, and substantially updated February 26, 2026. The update provides critical technical insights into RESURGE’s network-level évasion mechanisms, custom TLS authentication, and advanced cryptographic capabilities that were not documented in the initial version.
The research question is twofold. First, how does a threat actor maintain persistent, stealthy, and résilient access on a perimeter VPN appliance, bypassing both vendor-provided integrity mechanisms and operational détection tools? Second, what are the architectural and strategic implications for organizations whose perimeter security relies on proprietary appliances with non-fully-auditable firmware?
The analytical hypothèses are as follows. Hypothesis 1: the threat actor possesses advanced capabilities consistent with an APT (Advanced Persistent Threat) profile, given the observed tradecraft sophistication (Elliptic Curve Cryptography, TLS spoofing, coreboot manipulation). Hypothesis 2: the passive C2 design suggests a long-term strategic collection opération rather than a financially-motivated cybercriminal campaign. Hypothesis 3: additional undiscovered instances of RESURGE are likely deployed and undetected on Ivanti Connect Secure devices worldwide.
The analysis scope covers the three artifacts submitted to CISA: libdsupgrade.so (RESURGE, 1.41 MB), liblogblock.so (SPAWNSLOTH variant, 95 KB), and dsmain (embedded BusyBox binary with extract_vmlinux.sh, 5.10 MB). The analysis draws on both versions of the CISA MAR, prior research on the SPAWN/SPAWNCHIMERA family, the MITRE ATT&CK framework, the Diamond Model of Intrusion Analysis, and the Lockheed Martin Cyber Kill Chain.
Within the global threat landscape, this analysis aligns with the significant trend observed since 2023 of systematic exploitation of network edge appliances by state-sponsored actors. Compromises of Ivanti (Connect Secure, Policy Secure, ZTA), Fortinet FortiGate, Citrix NetScaler, and Palo Alto PAN-OS appliances have constituted a preferred attack vector, owing to defenders’ limited visibility into these devices, the fréquent absence of EDR solutions, and the strategic network position of these appliances.
3. Threat Landscape & Strategic Context
3.1 History and évolution
The SPAWN malware family was first identified in the context of Ivanti vulnerability exploitation. SPAWNSNAIL (SSH backdoor), SPAWNMOLE (tunneler), SPAWNSLOTH (log tamper), and SPAWNANT (installer) constitute the modular components of this ecosystem. SPAWNCHIMERA represents an évolution consolidating several of these capabilities into a single binary. RESURGE constitutes the most advanced observed itération, integrating additional capabilities not previously documented: coreboot manipulation, integrity scanner neutralization, and critically, a passive TLS authentication mechanism based on CRC32 fingerprinting.
CVE-2025-0282, published in January 2025, is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Its CVSS score is 9.0 (Critical). Exploitation requires no prior authentication and enables remote arbitrary code exécution. Ivanti confirmed activé exploitation prior to patch release, and CISA added this vulnerability to the KEV (Known Exploited Vulnerabilities) catalog.
3.2 Actor typology
The observed tradecraft analysis points attribution toward a state or state-affiliated actor. Several éléments converge: cryptographic sophistication (Elliptic Curve Cryptography on P-521 curve, Mutual TLS, embedded CA); passive C2 model optimized for long-term persistence and évasion; firmware manipulation capability (coreboot) demonstrating deep knowledge of Ivanti’s internal architecture; and critical infrastructure targeting. Public reports have associated CVE-2025-0282 exploitation with groups linked to the People’s Republic of China, notably UNC5337/UNC5221, although définitive attribution falls outside the scope of this analysis.
The rôle of Initial Access Brokers (IABs) cannot be excluded as a secondary proliferation vector. Given the wide documentation of CVE-2025-0282 exploitation, it is plausible that IABs have integrated this vulnerability into their catalog for resale to ransomware operators or other threat actors.
3.3 Underlying economic model
The economic model of VPN perimeter appliance exploitation rests on an extremely favorable cost/benefit ratio for the attacker. The initial investment (exploit development, implant engineering) is amortized across a large number of potential targets. Return on investment includes: persistent access to internal networks of large organizations, strategic data exfiltration capability, positioning for subsequent opérations (ransomware deployment, sabotage, espionage), and the possibility of access resale through IAB ecosystems. RESURGE’s dormant nature maximizes the exploitation duration of each compromise.
3.4 MITRE ATT&CK mapping
| Tactic | Technique ID | Technique Name | RESURGE Implémentation |
| Initial Access | T1190 | Exploit Public-Facing Application | CVE-2025-0282 exploitation (stack buffer overflow) |
| Exécution | T1059.004 | Unix Shell | SSH shell via embedded libssh |
| Persistence | T1542.003 | Bootkit | Encrypted coreboot RAM disk modification |
| Persistence | T1546.006 | LD_PRELOAD Hijacking | Insertion into ld.so.preload |
| Persistence | T1505.003 | Web Shell | compcheckresult.cgi with vXm8DtMJG parameter |
| Défense Évasion | T1014 | Rootkit | accept() function hooking in web process |
| Défense Évasion | T1070.002 | Clear Linux or Mac System Logs | SPAWNSLOTH (liblogblock.so) via funchook |
| Défense Évasion | T1036.005 | Match Legitimate Name or Location | Forged TLS certificate impersonating Ivanti |
| Défense Évasion | T1027 | Obfuscated Files or Information | Coreboot re-encryption with extracted AES key |
| Défense Évasion | T1553.006 | Code Signing Policy Modification | SHA-256/SHA-512 manifest signature régénération |
| Credential Access | T1556 | Modify Authentication Process | Integrity Checker manipulation (scanner.py) |
| Command and Control | T1071.001 | Web Protocols | Passive TLS with CRC32 fingerprint |
| Command and Control | T1573.002 | Asymmetric Cryptography | ECC P-521 for encrypted C2 channel |
| Command and Control | T1090.001 | Internal Proxy | Proxy via .logsrv Unix socket |
3.5 24-month trends and geopolitical corrélations
The 2024-2026 period confirms the industrialization of edge device exploitation. The frequency of critical vulnerability discoveries in Ivanti products (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, CVE-2025-0282) indicates a sustained offensive research effort. CISA’s response, which included issuing Emergency Directive ED 24-01 ordering the disconnection of Ivanti appliances in US federal agencies, illustrates the systemic severity of this trend. Geopolitical corrélations point toward strategic intelligence collection opérations by Asian state actors, against a backdrop of heightened tensions in the South China Sea and around Taiwan.
4. Methodology
4.1 CTI approach
The analysis is structured across three CTI cycle levels. At the tactical level, the study focuses on indicators of compromise (IoCs): file hashes, forged TLS certificates, network and file system artifacts. At the operational level, the analysis reconstructs the complète attack chain, from initial exploitation to post-reboot persistence, documenting TTPs (Tactics, Techniques and Procédures). At the strategic level, the assessment covers implications for organizational security posture, regulatory considerations, and threat landscape trends.
4.2 Frameworks employed
MITRE ATT&CK v15 serves as the primary framework for TTP mapping. The Diamond Model of Intrusion Analysis is used to structure the relationship between adversary, infrastructure, victim, and capabilities. The Lockheed Martin Cyber Kill Chain provides the sequential framework for technical analysis (sections 5.1 through 5.10). CVSS v3.1 is used for vulnerability qualification.
4.3 Analytical logic
The analysis proceeds through static reverse engineering of the binary artifacts documented in the CISA MAR, complemented by interpretation of the pseudocode provided in figures 1 through 7 of the report. Attack chain reconstruction relies on CISA’s technical documentation, prior publications on the SPAWN family, and knowledge of Ivanti Connect Secure’s internal architecture. Network indicators are derived from the custom TLS authentication protocol analysis documented in the updated MAR.
4.4 Methodological limitations
Several limitations must be explicitly acknowledged. The analysis relies on CISA’s public documentation rather than direct binary access. The provided pseudocode is a simplified représentation of disassembled code that may omit conditional branches or additional mechanisms. Attribution to a specific actor falls outside this analysis scope absent access to classified data. Finally, potentially undocumented capabilities of RESURGE (additional commands, additional persistence mechanisms) cannot be excluded.
5. Technical Analysis
5.1 Initial Access
The initial access vector is the exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability affecting the web component of Ivanti Connect Secure (versions prior to 22.7R2.5), Policy Secure, and ZTA Gateways. Exploitation is achievable without prior authentication (pre-auth), remotely, via a specially crafted HTTP request. The CVSS v3.1 score is 9.0 (Critical). Exploit maturity is assessed as weaponized: evidence of activé in-the-wild exploitation prior to patch release was confirmed by both Ivanti and CISA. Public Proof-of-Concept (PoC) exploits have been identified.
5.2 Exploitation Chain
The exploitation chain follows a two-phase schéma. The first phase consists of exploiting the buffer overflow to achieve arbitrary code exécution within the context of the Ivanti Connect Secure web process. The second phase involves deploying the RESURGE payload (libdsupgrade.so) to the appliance’s file system. The implant is designed to be dynamically loaded by the web and dsmdm processes via the Linux LD_PRELOAD mechanism, ensuring automatic exécution upon these services’ startup.
5.3 Payload Architecture
RESURGE (libdsupgrade.so) is a 32-bit LSB ELF (Intel 80386), dynamically linked, stripped, 1.41 MB in size. The binary implements a modular architecture articulated around two operating modes determined by the host process:
Web mode: When loaded by Ivanti’s web process, RESURGE hooks the accept() function via process injection. This hook enables inspection of all incoming TLS traffic and differentiation between legitimate connections and operator connections via the CRC32 fingerprinting scheme detailed in section 5.8.
Dsmdm mode: When loaded by the dsmdm process, RESURGE deploys a complète SSH server based on a statically linked libssh implémentation. This SSH server does not bind to a network port but rather to a Unix socket (/home/runtime/tmp/.logsrv), creating an internal communication channel between the proxy component (web mode) and the shell component (dsmdm mode).
Additionally, RESURGE contains the SPAWNSLOTH component (liblogblock.so, 95 KB), which it drops to /tmp to neutralize logging by the dslogserver process. The third artifact, dsmain (5.10 MB, 64-bit ELF), is a static binary embedding BusyBox and the extract_vmlinux.sh script, used for firmware manipulation opérations.
5.4 Persistence
RESURGE implements four complementary persistence mechanisms ensuring survival across reboots and firmware updates:
LD_PRELOAD persistence: RESURGE inserts itself at the first position in /etc/ld.so.preload, guaranteeing automatic loading by any dynamically linked process. DSUpgrade.pm is also modified to set the LD_PRELOAD environment variable.
Web Shell persistence: A web shell is inserted into compcheckresult.cgi, activatable via the HTTP parameter vXm8DtMJG. This parameter enables arbitrary system command exécution through the Ivanti web server.
Bootkit persistence (coreboot): RESURGE modifiés the appliance’s encrypted coreboot RAM disk. The process involves: extracting the 16-byte AES key from the vmlinux kernel (at a dynamically calculated offset), decrypting coreboot.img, extracting the cpio archive, injecting RESURGE and dsmain into the coreboot file system, modifying the /bin/init initialization script, recompressing, re-encrypting with the same AES key, and replacing the original coreboot.img. This mechanism ensures persistence even after a complète reboot.
Integrity check falsification: RESURGE recalculates SHA-256 hashes for each modified file and updates the manifest file. It then generates a new RSA 2048-bit key pair, signs the manifest with SHA-512, and replaces manifest.1 (signature) and manifest.2 (public key). The check_integrity.sh script is modified to always return a success code (exit 0). The scanner.py and scanner_legacy.py scripts are neutralized by replacing mismatch counters with pass statements.
5.5 Privilege Escalation
Exploitation of CVE-2025-0282 directly provides code exécution in the context of the web process, which runs with elevated privileges on the Ivanti appliance. The LD_PRELOAD mechanism ensures RESURGE inherits the privileges of any process it infects. Access to coreboot and the ability to modify the init script demonstrate root-level access. No specific additional privilege escalation mechanism is documented, as the initial exploitation already provides the necessary privileges.
5.6 Défense Évasion
RESURGE implements a remarkably deep évasion arsenal operating at multiple levels:
Network-level évasion: The passive C2 mechanism through CRC32 fingerprinting of TLS ClientHello packets allows RESURGE to blend into legitimate TLS traffic. No abnormal outbound traffic is generated. The forged TLS certificate impersonating Ivanti (CN=va1.Ivanti.net, O=Ivanti Org) is used as an authentication mechanism in the ServerHello, not to encrypt communications. The initial TLS exchange is fake: the 65547-byte buffer used to receive data is a local stack variable that is not persisted, confirming this is an identity vérification rather than a real TLS handshake. The actual secure connection then uses Mutual TLS with ECC (P-521 curve).
File system-level évasion: Régénération of SHA-256 hashes in the manifest, re-signing with a new RSA key pair, and modification of check_integrity.sh completely neutralize Ivanti’s integrity mechanism (Integrity Checker Tool, ICT).
Log-level évasion: The SPAWNSLOTH component (liblogblock.so) intercepts the _ZN5DSLog4File3addEPKci function of the dslogserver process via funchook, suppressing or altering log entries.
Scanner-level évasion: Modifications to scanner.py and scanner_legacy.py prevent détection of modified or added files by Ivanti’s compliance scanner.
5.7 Lateral Movement
RESURGE does not contain intrinsic lateral movement mechanisms. However, the strategic position of the Ivanti Connect Secure appliance as a VPN concentrator provides the operator with direct access to the organization’s internal network. The full SSH shell provided by the libssh component enables the operator to use the compromised appliance as a pivot for lateral movement opérations using standard or additional subsequently deployed tools. The BusyBox tool embedded in dsmain (with applets for compression, extraction, and shell scripting) facilitates downloading additional tools.
5.8 Command and Control
RESURGE’s C2 architecture relies on a highly sophisticated passive model operating in four stages:
Stage 1 – CRC32 ClientHello fingerprinting: The accept() function hook intercepts incoming TLS connections. RESURGE extracts the 32 bytes from the ClientHello TLS random field. The last 28 bytes are CRC32 hashed. The result is byte-swapped via the BSWAP instruction ((v2 << 8) & 0xFF0000 | (v2 << 24) | (v2 >> 8) & 0xFF00 | HIBYTE(v2)). This result is compared to the first 4 bytes of the random field. If matching fails, the connection is forwarded to the legitimate Ivanti web server.
Stage 2 – ServerHello generation with CRC32 fingerprint: RESURGE generates 28 random bytes, computes their CRC32 hash, byte-swaps the result via _byteswap_ulong(), and places these 4 bytes at the beginning of the ServerHello random field. The remote operator can thus verify communication with RESURGE rather than the legitimate Ivanti server.
Stage 3 – Forged TLS certificate transmission: The ServerHello is accompanied by a forged TLS certificate (1306 bytes total for the response). This certificate, issued for CN=va1.Ivanti.net by O=Ivanti Org, valid from July 15, 2024 to January 5, 2030, with serial number 59:d3:b0:74:ac:64:33:01, constitutes a deterministic network indicator. This certificate is transmitted in cleartext across the network and can be detected through passive traffic inspection.
Stage 4 – Mutual TLS establishment with ECC: After the initial authentication phase (fake TLS), a real Mutual TLS session is established using Elliptic Curve Cryptography on the secp521r1 curve (NIST P-521). RESURGE requests the operator’s EC key and verifies it via a hard-coded embedded EC Certificate Authority (CA) certificate. The EC public key certificate and EC private key are hard-coded in the binary (DER format). This mechanism ensures that only an operator possessing a certificate signed by the embedded CA can access C2 capabilities.
Internal proxy-shell communication: The proxy component (web mode) forwards authenticated traffic to the Unix socket /home/runtime/tmp/.logsrv. The shell component (dsmdm mode) listens on this same socket and provides full SSH access via libssh. This architecture decouples the network entry point from the interactive shell.
5.9 Data Exfiltration
No automated data exfiltration mechanism is documented in RESURGE. However, the full SSH shell provided to the operator enables manual or scripted exfiltration via any protocol available on the appliance. The Ivanti appliance’s position as a VPN concentrator provides potential access to all VPN traffic transiting through the device, including user authentication credentials. BusyBox applets (tar, gzip, cat, etc.) facilitate data préparation and transfer.
5.10 Impact Logic
RESURGE’s impact is structurally maximal. The operator has total control over the appliance (root shell via SSH), visibility over the organization’s VPN traffic, persistence surviving reboots and updates (coreboot bootkit), invisibility to vendor integrity tools, and log erasure capability (log tampering). The compromised appliance becomes a permanent and stealthy entry point to the internal network, exploitable at the operator’s discretion for espionage, exfiltration, pre-operational positioning, or sabotage.
6. Détection Engineering Perspective
6.1 Détection surface
Network-based indicators: The forged TLS certificate (CN=va1.Ivanti.net, serial 59:d3:b0:74:ac:64:33:01) is transmitted in cleartext in the ServerHello during C2 connections. This certificate constitutes the most reliable and actionable indicator. A détection rule targeting the serial number or RSA modulus of this certificate in non-decrypted TLS flows (ServerHello inspection) offers deterministic détection. The CRC32 random field schéma is theoretically détectable but operationally challenging due to TLS traffic volume.
Host-based indicators: Présence of libdsupgrade.so in /lib/ and in coreboot. Présence of /home/runtime/tmp/.logsrv (Unix socket). Présence of /tmp/.liblogblock.so. Modification of /etc/ld.so.preload. Modification of compcheckresult.cgi (vXm8DtMJG parameter addition). Modification of DSUpgrade.pm (LD_PRELOAD addition). Modification of scanner.py and scanner_legacy.py (replacement with pass). Modification of check_integrity.sh (exit 0).
6.2 Blind spots
Blind spots are significant. Ivanti’s ICT is neutralized (hashes regenerated, manifest re-signed, scanner disabled). System logs are altered by SPAWNSLOTH. C2 traffic blends with legitimate TLS traffic. Modified firmware (coreboot) is not inspected by standard tools. EDR solutions are generally not deployed on VPN appliances. RESURGE’s dormant nature means network indicators are only observable when the operator actively connects.
6.3 Telemetry requirements
Operational détection requires: passive TLS traffic inspection (ServerHello certificate extraction) on links upstream of the Ivanti appliance; file system access to the appliance for host-based IoC vérification (ideally via a method independent of the compromised ICT mechanism); capture and analysis of network traffic upstream and downstream of the appliance; and firmware forensic capability (coreboot extraction and analysis).
6.4 SOC corrélation logic
SOC corrélation rules should target: forged TLS certificate détection in ServerHello flows (deterministic signature); inbound TLS connections to the Ivanti appliance whose ServerHello contains a certificate différent from the known legitimate Ivanti certificate; accesses to compcheckresult.cgi with the vXm8DtMJG parameter in reverse proxy or WAF logs if deployed upstream; and logging anomalies on the Ivanti appliance (gaps, interruptions).
6.5 Threat hunting hypothèses
Hypothesis 1: Ivanti Connect Secure appliances deployed within the organization harbor a dormant RESURGE instance, détectable through file system and coreboot forensic analysis. Hypothesis 2: Inbound TLS connections to Ivanti appliances contain RESURGE’s forged certificate, détectable through rétrospective analysis of network captures. Hypothesis 3: The appliance’s configuration and integrity control files have been modified, détectable by comparison with a clean référence image.
6.6 Indicators of Compromise vs Indicators of Behavior
Static IoCs (SHA-256 hashes) for the three artifacts are documented in the CISA MAR and the associated STIX JSON file. However, the operational value of static IoCs is limited in this case: hashes may vary between deployments, and the implant’s dormant nature reduces opportunities for network IoC-based détection. Indicators of Behavior (IoBs) are more durable and include: the CRC32 TLS fingerprinting structure, use of a Unix socket named .logsrv, modification of ld.so.preload, and integrity mechanism neutralization. CISA-provided YARA rules (CISA_25993211_01, CISA_25239228_04, CISA_25993211_02) constitute the most reliable host-level détection signatures.
Indicators of Compromise
| Type | Value | Description |
| SHA-256 | 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda | libdsupgrade.so (RESURGE) |
| SHA-256 | 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104 | liblogblock.so (SPAWNSLOTH) |
| SHA-256 | b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d | dsmain (BusyBox + extract_vmlinux.sh) |
| TLS Cert Serial | 59:d3:b0:74:ac:64:33:01 | Fake Ivanti TLS Certificate |
| TLS Cert CN | va1.Ivanti.net | Fake Ivanti TLS Certificate Subject |
| TLS Cert Org | Ivanti Org | Fake Ivanti TLS Certificate Issuer |
| File Path | /home/runtime/tmp/.logsrv | UNIX socket for C2 proxy-shell communication |
| File Path | /tmp/.liblogblock.so | SPAWNSLOTH dropper location |
| Web Shell Param | vXm8DtMJG | compcheckresult.cgi backdoor parameter |
| EC CA CN | CN=QcCpIAsFy6cEI | Embedded EC Certificate Authority |
| EC Cert CN | CN=YUjdgeQQyLtco | Embedded EC Public Certificate |
7. Risk Modeling
7.1 Operational Risk
Operational risk is assessed as CRITICAL. The implant provides full, persistent, and stealthy shell access to a perimeter device. Compromising a VPN appliance potentially enables interception of all VPN sessions, access to user credentials, and pivoting into the internal network. Neutralization of vendor integrity mechanisms means standard operational vérification procédures are no longer reliable. The implant’s dormant nature implies the exposure window may extend over months or years without détection.
7.2 Strategic Risk
Strategic risk is assessed as HIGH. Compromising Ivanti Connect Secure appliances in critical sectors (government, défense, finance, healthcare, energy) can have strategic conséquences: access to classified or sensitive information, positioning for sabotage opérations during crises, and erosion of confidence in perimeter security solutions. The probable state-actor attribution amplifies the strategic dimension.
7.3 Regulatory Risk
Regulatory risk is assessed as HIGH. In Europe, the NIS2 directive mandates significant incident notification within 24 hours (early warning) and 72 hours (full notification). The DORA regulation imposes similar requirements for the financial sector. Discovering a dormant implant potentially dating back several months raises the question of incident date détermination and notification deadline compliance. GDPR applies if personal data was accessible or exfiltrated via the compromised appliance.
7.4 Supply Chain Risk
Supply chain risk is assessed as MODERATE to HIGH. While RESURGE does not strictly constitute a supply chain attack (the initial vector is vulnerability exploitation, not compromise of Ivanti’s distribution process), firmware modification (coreboot) introduces a propagation risk through update mechanisms. If a compromised firmware image is saved and reused, the risk propagates. Trust in the vendor’s integrity mechanisms is structurally compromised by RESURGE’s capabilities.
7.5 Risk amplification scénarios
Several amplification scénarios are identified. Simultaneous compromise of multiple Ivanti appliances within the same organization would enable extended lateral access. Using RESURGE access as an entry point for a ransomware opération would amplify operational and financial impact. Combination with a supply chain attack targeting backup and restoration processes could make remédiation significantly more complex. Resale of RESURGE access through IAB ecosystems could multiply the actors exploiting the compromise.
8. Mitigation & Structural Controls
8.1 Immédiate technical controls
Immédiate controls must include: deploying CISA-provided YARA rules (CISA_25993211_01, CISA_25239228_04, CISA_25993211_02) on file scanning systems; implementing a network détection rule for the forged TLS certificate (serial 59:d3:b0:74:ac:64:33:01, CN=va1.Ivanti.net) in NIDS/NIPS solutions; independent forensic vérification (not ICT-based) of the file system of all deployed Ivanti Connect Secure appliances; and coreboot analysis of appliances to detect unauthorized modifications.
8.2 Tactical response adjustments
Tactical adjustments include: complète reconstruction (factory reset and réinstallation from a clean image) of any Ivanti appliance where IoCs are detected; immédiate rotation of all credentials, certificates, and keys accessible from the compromised appliance; forensic examination of historical network traffic to identify C2 connections via the forged certificate; and activation of enhanced monitoring of traffic upstream of Ivanti appliances.
8.3 Architectural redesign if required
The repeated compromise of Ivanti Connect Secure appliances should prompt architectural re-évaluation. Options include: migration to a Zero Trust Network Access (ZTNA) architecture reducing dependence on a single VPN concentrator; deployment of micro-segmentation solutions limiting the impact of a perimeter compromise; addition of détection layers independent of the appliance (network probes, upstream TLS inspection, jump servers); and évaluation of alternative VPN solutions with a more favorable security track record.
8.4 Governance adaptation
Governance adaptations include: integrating perimeter appliances into the SOC monitoring perimeter with the same telemetry level as critical servers; updating incident response procédures to include firmware forensics; revising vendor support contracts to require independently vérifiable integrity mechanisms; and adding VPN appliance compromise scénarios to crisis exercises.
8.5 CERT maturity implications
Détection and remédiation of RESURGE require a high CERT maturity level. Required competencies include: embedded appliance forensics (firmware extraction and analysis, 32/64-bit ELF binary reverse engineering); TLS traffic analysis (certificate inspection in handshakes); IoC-based détection capability across both network and host vectors; and coordination with national CERTs (CERT-FR, CISA) for indicator sharing. CERT/CSIRT teams must assess their capability to conduct forensic investigations on proprietary appliances with partially documented internal architectures.
9. Strategic Outlook (6-12 months)
9.1 Probable industrialization
Publication of the updated CISA MAR, while beneficial for defenders, also provides a detailed blueprint for other threat actors. Industrialization of documented techniques (CRC32 fingerprinting, coreboot manipulation, integrity mechanism falsification) within offensive frameworks is probable within a 6 to 12-month horizon. The availability of PoCs for CVE-2025-0282 accelerates this dynamic.
9.2 TTP évolution
Anticipated TTP évolutions include: replacement of the CRC32 scheme with more robust authentication mechanisms (HMAC, asymmetric signatures) in future variants; évolution of the forged TLS certificate to evade détection signatures based on the current certificate; extension of the model to other perimeter appliances (Fortinet, Palo Alto, Citrix); and strengthening of C2 channel encryption to complicate analysis.
9.3 Weaponization curve
The weaponization curve for CVE-2025-0282 is already at maturity. The vulnerability is actively exploited, PoCs are available, and the RESURGE implant is fully operational. The probable évolution concerns diversification of payloads deployed via this vector and adaptation to patches deployed by Ivanti.
9.4 Variant anticipation
RESURGE variants are foreseeable, targeting: new Ivanti Connect Secure versions with strengthened integrity mechanisms (requiring adaptation of falsification techniques); other perimeter appliances sharing similar architectures (embedded Linux with encrypted firmware management); and additional objectives such as automated exfiltration capability injection or autonomous lateral movement.
9.5 Sectoral attack surface impact
The most exposed sectors are: government and défense (priority targets for state espionage); financial services (transactional and strategic data, DORA obligations); healthcare (medical data, critical systems); and critical infrastructure operators (energy, télécommunications, transportation). The post-pandemic generalization of remote work has amplified dependence on VPN solutions, expanding the sectoral attack surface.
10. My conclusion
In-depth analysis of RESURGE reveals an implant whose sophistication exceeds opportunistic compromise. The combination of a passive C2 model based on TLS fingerprinting, multi-layered persistence including encrypted firmware manipulation, and methodical neutralization of all vendor détection and integrity mechanisms constitutes a coherent, methodical tradecraft likely operated by an actor with significant resources and deep knowledge of Ivanti’s architecture.
The CISA MAR update of February 2026 provides a decisive insight into RESURGE’s dormant nature. The implant generates no observable activity in the absence of an operator connection, which invalidates détection approaches based on outbound C2 traffic. This characteristic implies that the number of deployed and undetected RESURGE instances is likely underestimated.
The implications for defenders are structural. Trust in vendor-provided integrity mechanisms (ICT, scanner.py) is irreversibly compromised for potentially affected devices. The only reliable remédiation is complète reconstruction from a clean image, preceded by thorough forensics. In the medium term, reliance on proprietary perimeter appliances with non-fully-auditable firmware constitutes an architectural risk that organizations must integrate into their security strategy.
The forged TLS certificate constitutes the most actionable network indicator identified. Its deployment as a détection signature in NIDS/NIPS solutions and passive TLS inspection capabilities represents the most effective détection measure for organizations that have not yet conducted complète forensics of their appliances.
Enjoy !
11. Références
- CISA MAR-25993211-r1.v2: https://www.cisa.gov/news-events/analysis-reports/ar25-087a
- CISA Alert – RESURGE Malware Associated with Ivanti Connect Secure: https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure
- CISA Mitigation Instructions for CVE-2025-0282: https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282
- CISA Known Exploited Vulnerabilities Catalog – CVE-2025-0282: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Ivanti Security Advisory SA-2025-0282: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282
- NVD – CVE-2025-0282: https://nvd.nist.gov/vuln/detail/CVE-2025-0282
- MITRE ATT&CK – T1190 Exploit Public-Facing Application: https://attack.mitre.org/techniques/T1190/
- MITRE ATT&CK – T1542.003 Bootkit: https://attack.mitre.org/techniques/T1542/003/
- MITRE ATT&CK – T1546.006 LD_PRELOAD: https://attack.mitre.org/techniques/T1546/006/
- MITRE ATT&CK – T1505.003 Web Shell: https://attack.mitre.org/techniques/T1505/003/
- MITRE ATT&CK – T1014 Rootkit: https://attack.mitre.org/techniques/T1014/
- MITRE ATT&CK – T1573.002 Asymmetric Cryptography: https://attack.mitre.org/techniques/T1573/002/
- Mandiant – UNC5337 / UNC5221 Ivanti Exploitation: https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-new
- CISA Emergency Directive ED 24-01: https://www.cisa.gov/emergency-directive-24-01
- NIS2 Directive (EU) 2022/2555: https://eur-lex.europa.eu/eli/dir/2022/2555
- DORA Regulation (EU) 2022/2554: https://eur-lex.europa.eu/eli/reg/2022/2554
- funchook (open source hooking library): https://github.com/nicecai/funchook
- BusyBox: https://busybox.net/
- CISA AR25-087A STIX JSON: https://www.cisa.gov/sites/default/files/2025-03/AR25-087A_STIX.json
