The Ivanti VPN Zero-Day: How a Buffer Overflow in a VPN Appliance Breached the UK's Domain Registry

‍‌‌‌‌​​‌‌​​‌‌​‌​‌‌‌​​​​‌​‌​‌‌‌​​‌‌‌​‌​​‌​​​‌‌​​‌‌​​​​​‌​‌​​‌​​‌​​‍Nominet runs the UK domain registry, covering over 11 million domain names across extensions including co.uk, org.uk, wales, and pharmacy. In December 2024, a zero-day in the VPN appliance Nominet used for remote access gave attackers a way into that network. The entry point was a stack-based buffer overflow in Ivanti Connect Secure that didn't require any form of authentication to exploit.

The vulnerability, tracked as CVE-2025-0282, carried a CVSS score of 9.0 out of 10. Mandiant attributed the exploitation to UNC5221, a suspected Chinese state-sponsored espionage group that had already exploited Ivanti Connect Secure zero-days in January 2024. Five days after Ivanti released a patch, Censys found that only about 120 of 33,542 exposed instances had been updated. The other 12,335 potentially vulnerable instances sat unpatched and internet-facing.

This is the story of a vulnerability class that keeps recurring, a threat actor that keeps returning, and an infrastructure category that sits at the centre of both problems.

What everyone thinks happened

The simplified version of the Nominet breach follows a familiar template. A VPN got hacked, the company noticed, patched it, said no data was stolen, and the story moved on within a news cycle.

That version misses several things that actually matter here. It misses that Nominet wasn't compromised through an obscure misconfiguration or a weak password. The attackers used a zero-day exploit against a fully supported, current-version VPN product. It misses that the same threat actor had done this before, to the same product line, 12 months earlier. And it misses that the malware deployed during these campaigns can survive system upgrades, evade integrity checking tools, and fake the update process to prevent administrators from patching.

The Nominet breach isn't primarily a story about one organisation's security posture. It's a case study in what happens when critical network infrastructure becomes the persistent target of a well-resourced intelligence service, and the defenders are working with tools designed before that threat model existed.

What actually happened

The vulnerability: CVE-2025-0282

Ivanti Connect Secure is an enterprise VPN that lets remote employees connect to internal networks. The appliance has to be exposed to the internet to accept incoming connections, which places it directly in the attack surface.

CVE-2025-0282 is a stack-based buffer overflow classified under CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). The NVD gave it a CVSS v3.1 score of 9.0, rated Critical. It doesn't require authentication, so any attacker who can reach the appliance over the internet can attempt to exploit it.

It affected Ivanti Connect Secure 22.7R2 through 22.7R2.4, Policy Secure 22.7R1 through 22.7R1.1, and Neurons for Zero Trust Access (ZTA) 22.7R2 and 22.7R2.2. Exploitation was version-specific, which raised the attack complexity, but working out which version an appliance runs is simple enough through HTTP probes.

A companion vulnerability, CVE-2025-0283, was disclosed at the same time. That one was also a stack-based buffer overflow, but it needed local authenticated access for privilege escalation rather than enabling remote code execution.

How the Nominet breach unfolded

Mandiant's analysis places the earliest exploitation of CVE-2025-0282 in mid-December 2024. Nominet spotted suspicious activity on its network in late December 2024 or early January 2025. On 8 January 2025, the same day Ivanti disclosed the vulnerability and released a patch, Nominet told its customers by email. The Register broke the story publicly on 13 January 2025.

Nominet confirmed the entry point was "third-party VPN software supplied by Ivanti" exploiting "a zero-day vulnerability." They reported no evidence of data breach or leakage, no backdoors or other unauthorised access on their systems, and that domain registration and management systems kept running normally throughout.

Nominet brought in external security experts, restricted VPN access, reported the incident to the NCSC, and started applying patches. They became the first publicly confirmed victim of CVE-2025-0282.

The threat actor: UNC5221

Mandiant attributed the CVE-2025-0282 exploitation to UNC5337, which they later merged into UNC5221 after confirming both tracking names referred to the same group. Volexity independently tracked the same actor as UTA0178, calling them "a Chinese nation-state-level threat actor."

UNC5221 has shown a sustained, repeated focus on Ivanti products. In December 2023 through January 2024, they chained two vulnerabilities: CVE-2023-46805 (an auth bypass, CVSS 8.2) with CVE-2024-21887 (a command injection, CVSS 9.1). Together, those two bugs gave unauthenticated remote code execution against Ivanti Connect Secure and Policy Secure. Volexity confirmed at least 1,700 devices were hit globally, affecting organisations from small businesses to Fortune 500 companies across government, military, telecoms, defence, technology, banking, consulting, and aerospace.

Then in December 2024, the same group came back with CVE-2025-0282. In March through April 2025, UNC5221 was linked to the exploitation of CVE-2025-22457, yet another buffer overflow in Ivanti Connect Secure. That's three separate campaigns against the same product line in two years, each using a different zero-day, each deploying more sophisticated malware than the last.

The exploitation sequence

Mandiant documented the exploitation chain for CVE-2025-0282. This is what happened on compromised appliances, and likely what happened at Nominet:

First, the attackers probed target appliances for version info using HTTP requests, often from VPS providers or the Tor network. Once they'd found a vulnerable version, they triggered the buffer overflow to get code execution.

With code execution established, they disabled SELinux on the appliance to remove security controls. They blocked syslog forwarding so logs wouldn't reach central monitoring. They remounted the drive as read-write, dropped deployment scripts for their malware payloads, and set up web shells for persistent access.

After setting up persistence, they scrubbed specific log entries, re-enabled SELinux so the appliance looked normal to admins, and remounted the drive to its original state. The whole sequence was designed to leave the appliance looking clean while keeping full backdoor access.

The malware: SPAWN, PHASEJAM, and DRYHOOK

The malware from the CVE-2025-0282 campaign is some of the most sophisticated appliance-level tooling that threat intelligence firms have documented.

The SPAWN family is a coordinated set of four components. SPAWNANT handles installation and deploys the other three. It can migrate itself to new upgrade partitions and recalculate SHA256 hashes of modified files, letting it dodge Ivanti's Integrity Checker Tool (ICT). SPAWNMOLE watches network traffic, filters malicious comms, and tunnels them to an attacker-controlled host. SPAWNSNAIL provides a passive SSH backdoor for persistent access. SPAWNSLOTH tampers with device logs to wipe evidence of compromise.

What makes SPAWN genuinely dangerous is that it persists across system upgrades. When admins update the appliance, SPAWNANT migrates to the new partition and recalculates file hashes so the integrity checker reports everything as clean. The upgrade finishes, the appliance looks patched and verified, and the backdoor stays active.

Alongside SPAWN, Mandiant found PHASEJAM, a dropper and web shell that blocks legitimate updates by showing a fake HTML upgrade progress bar. An admin trying to patch the appliance would see what looked like a normal upgrade running, while the update was actually being blocked. DRYHOOK went after the authentication module, modifying DSAuth.pm to intercept logins and harvest credentials in real time.

In March 2025, CISA published an analysis of RESURGE, another piece of malware found on a critical infrastructure organisation's Ivanti device. RESURGE creates SSH tunnels for command and control, manipulates integrity checks, and can copy web shells to the running boot disk. It can sit dormant and undetected on devices until the attacker reconnects, and it was accompanied by a variant of SPAWNSLOTH.

Post-exploitation: what happens after the VPN falls

Mandiant's "Cutting Edge" research series documented what UNC5221 did after getting into Ivanti appliances during the 2024 campaign. The pattern matters because the same actor was behind the 2025 exploitation that hit Nominet.

From compromised appliances, UNC5221 ran LDAP queries against the victim's Active Directory to map the network. They moved laterally to VMware vCenter servers, first through the web console and then via SSH. They created new virtual machines inside vCenter using naming that matched the victim's own conventions, making them harder to spot. They dropped ROOTROT, another backdoor, on the Connect Secure appliance as an initial foothold, and went after AD servers for full domain compromise.

The progression from VPN appliance to AD domain compromise represents a complete intrusion path from the network perimeter to the core identity infrastructure. A compromised VPN appliance isn't the end goal for an espionage actor, it's where they start building toward the real objective.

Myth vs fact

Myth 1: "The Nominet breach was a minor incident with no real impact."

Nominet confirmed that no data was breached and domain systems kept running normally. That's good news, and it reflects well on their segmentation and monitoring. But the breach matters beyond Nominet's direct exposure. They manage over 11 million UK domain names. If the registry's core systems had been compromised, an attacker could theoretically redirect domain traffic, intercept communications, or disrupt domain resolution across the entire UK namespace. The fact that it didn't happen this time doesn't reduce the severity of the threat model. An espionage actor inside Nominet's network had the chance to attempt lateral movement toward those systems.

Fact: The breach showed that even well-resourced critical infrastructure organisations are vulnerable to zero-day exploitation of VPN appliances. Nominet's segmentation prevented the worst outcome, but the initial access itself didn't need authentication or user interaction.

(Sources: The Register, Ivanti Security Advisory, Mandiant)

Myth 2: "If you patched quickly, you were safe."

On 13 January 2025, five days after the patch was released, Censys found that only about 120 of 33,542 exposed Ivanti Connect Secure instances had been updated. By late January 2025, Censys still counted 13,954 unpatched devices, and the Shadowserver Foundation confirmed 379 that were already compromised.

But the patching timeline misses a deeper problem. CISA documented during the 2024 Ivanti campaign that attackers could maintain "root level persistence despite issuing factory resets." The SPAWN malware family survives upgrades by migrating to new partitions and recalculating file hashes. PHASEJAM actively blocks legitimate updates, and RESURGE can lie dormant until the attacker decides to reconnect. Simply applying a patch to a device that's already been compromised doesn't remove these backdoors. The device needs a factory reset from an external known clean image, and even that might not be enough in all cases.

Fact: Patching closes the initial vulnerability but doesn't address existing compromise. CISA recommends a factory reset from a known clean image before patching, followed by full credential revocation. Organisations that patched without checking for compromise first may have locked the door while the attacker was already inside.

(Sources: Censys, CISA Mitigation Instructions, CISA Advisory AA24-060B)

Myth 3: "This was a one-off vulnerability. Ivanti has fixed the problem."

UNC5221 has exploited Ivanti Connect Secure zero-days at least three times in two years. The first campaign used CVE-2023-46805 and CVE-2024-21887 in December 2023 to January 2024. The second used CVE-2025-0282 in December 2024 to January 2025. The third used CVE-2025-22457 in March to April 2025. Each campaign involved different vulnerabilities, suggesting the threat actor maintains an active programme of reverse-engineering this specific product line.

During the 2024 investigation, more vulnerabilities turned up: CVE-2024-21893 (server-side request forgery in the SAML component), CVE-2024-21888 (privilege escalation), and CVE-2024-22024 (XML External Entity injection). Finding multiple critical vulnerabilities during incident response points to a broader codebase concern, similar to what happened with MOVEit Transfer when three critical SQL injection flaws were found within 16 days of each other.

Fact: The same actor hitting the same product line with multiple zero-days suggests ongoing reverse-engineering activity. Organisations running Ivanti Connect Secure should assume more vulnerabilities will be found and plan their architecture accordingly.

(Sources: Mandiant, CISA Emergency Directive ED 24-01)

Myth 4: "VPN appliances are secure because they sit at the network boundary."

VPN appliances are targeted precisely because of their boundary position, not despite it. They have to be internet-facing to accept incoming connections. They process authentication credentials, often caching domain passwords, certificates, and API keys. They run proprietary operating systems with limited logging compared to standard servers. Traditional EDR tools can't run on most VPN appliances. Organisations frequently delay patching VPN infrastructure because of uptime requirements and change management processes. And custom firmware gives sophisticated attackers persistence opportunities that survive reboots, updates, and factory resets.

CISA's edge device guidance puts it plainly: "Nation-state threat actors exploit end-of-support edge devices, including but not limited to load balancers, firewalls, routers, and virtual private network (VPN) gateways, to gain network access, maintain presence, and compromise sensitive data."

Fact: VPN appliances combine internet exposure, rich credential stores, limited visibility, slow patching cycles, and persistence opportunities in a single device. That combination makes them one of the highest-value targets for state-sponsored actors. As the NCSC's own guidance puts it, "VPN services will be part of the internet-exposed attack surface of your organisation."

(Sources: CISA Edge Device Security Guidance, CISA BOD 26-02, NCSC VPN Guidance)

What would have reduced the impact

Treating VPN appliances as highest-priority patching targets changes the exposure window

The NCSC's VPN guidance is blunt: VPN services "will need to be swiftly updated as soon as security patches are released." Five days after the CVE-2025-0282 patch was available, only about 120 of 33,542 exposed instances had been updated. That gap between patch availability and patch application is where the damage builds up. Organisations that can apply emergency patches to VPN infrastructure within hours rather than weeks cut their exposure window dramatically.

Emergency patching for edge devices takes planning before the vulnerability arrives. You need a tested process for out-of-band updates, pre-approved change management for critical security patches, and a fallback connectivity plan that allows VPN downtime during the update window.

Network segmentation limits what a compromised VPN appliance can reach

The fact that Nominet's domain registration and management systems weren't affected suggests effective segmentation between the VPN infrastructure and the critical registry systems. That architecture prevented the worst-case outcome for Nominet. Without segmentation, a compromised VPN appliance provides direct access to every system the VPN was designed to reach, which in most organisations is the entire internal network.

Segmentation means that compromising the VPN gives access only to a restricted zone, not to domain controllers, database servers, or critical application infrastructure. When you combine that with monitoring for lateral movement (LDAP reconnaissance, vCenter access, unexpected VM creation), it turns a perimeter breach into a contained incident rather than a full domain compromise.

Running integrity checks before and after patching catches existing compromise

CISA's mitigation instructions for CVE-2025-0282 stress running the external Integrity Checker Tool before applying patches. This matters because patching a device that's already compromised locks in the backdoor. SPAWN specifically targets the integrity checking process by recalculating file hashes, so external verification using Mandiant's published indicators of compromise provides a second line of detection. (referenced in the strategic segmentation benchmarking report).

Organisations shouldn't rely solely on vendor integrity tools. CISA documented during the 2024 campaign that the ICT "failed to detect compromise" in some cases because attackers deployed web shells that persisted without triggering file mismatch alerts. External baselines, regular integrity verification, and monitoring for unexpected file changes on appliance filesystems all provide extra detection layers.

Zero trust architecture eliminates the single point of failure

Zero trust architecture offers an alternative to traditional VPN-based remote access. Instead of trusting anything inside a perimeter, a zero trust approach assumes the network is hostile and verifies each request against access policy. To quote the guidance directly: "There would be little benefit in using a VPN if you've fully adopted a zero-trust approach to networking."

Zero trust doesn't eliminate all risk, and the transition from VPN-based access isn't quick or simple. But it removes the VPN concentrator as a single device whose compromise opens the entire network. Each application and service enforces its own access controls, so there's no single appliance that an attacker can exploit for broad internal access.

Credential revocation after suspected compromise prevents lateral movement

CISA's post-compromise guidance for Ivanti appliances is extensive because VPN devices handle authentication traffic. If the appliance is compromised, the attacker potentially has access to every credential that passed through it. The recommended revocation list includes admin enable passwords, API keys, local user passwords, service accounts, domain account passwords (reset twice for on-premises accounts), Kerberos tickets, and cloud tokens. Cloud-joined devices should be disabled to revoke their tokens.

That revocation scope reflects what a VPN appliance actually handles. It processes authentication for every remote user, every service account connecting through the VPN, and potentially every domain credential cached during the process. The attacker doesn't need to crack passwords when DRYHOOK intercepts them in plaintext during legitimate authentication.

What changed after

Ivanti released a patch for CVE-2025-0282 on 8 January 2025, the same day it disclosed the vulnerability. The speed of disclosure and patching reflects how serious it was: Ivanti's own Integrity Checker Tool had detected exploitation on the day it occurred, and the company coordinated disclosure with Mandiant and the NCSC.

CISA added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) Catalog on 8 January 2025 with a remediation deadline of 15 January 2025 for federal agencies. That seven-day deadline for a VPN appliance vulnerability is aggressive, reflecting how critical the affected infrastructure is. In the UK, the NCSC was "investigating cases of active exploitation affecting UK networks."

The 2024 Ivanti campaign had already prompted significant government action. CISA issued Emergency Directive ED 24-01 in January 2024, telling federal agencies to mitigate the earlier vulnerability chain. A supplemental direction on 31 January 2024 went further, ordering agencies to disconnect all Ivanti Connect Secure and Policy Secure instances from their networks entirely. A joint advisory (AA24-060B) from CISA, the FBI, and the NCSC followed on 29 February 2024.

In March 2025, CISA published the RESURGE malware analysis, showing that the threat from compromised Ivanti devices was still active months after the initial patches were released. In April 2025, Mandiant attributed the exploitation of yet another Ivanti Connect Secure vulnerability (CVE-2025-22457) to UNC5221, confirming the pattern of repeat targeting.

CISA also issued Binding Operational Directive 26-02, covering risks from end-of-support edge devices across the board. That directive reflects the broader lesson from the Ivanti campaigns: VPN appliances and other edge devices aren't isolated incidents. They're a systemic category of risk that needs addressing at the architectural level.

The Ivanti Connect Secure product line (formerly Pulse Secure) has now been targeted by Chinese state actors across four separate campaigns going back to 2021, when APT5/UNC2630 exploited Pulse Secure zero-days. The pattern suggests the same actor, or actors within the same intelligence apparatus, maintain ongoing reverse-engineering capability against this specific product. Organisations running Ivanti Connect Secure should factor that persistent threat into their risk assessments rather than treating each vulnerability as a standalone event.

---

Related articles

• The MOVEit Breach: How SQL Injection Gave Cl0p Access to 2,773 Organisations
• The SolarWinds SUNBURST Attack: How Clean Source Code Produced a Backdoor
• The WannaCry Ransomware Attack: How a Kill Switch Stopped a Global Worm
• The Qilin Ransomware Attack on the NHS: Full Kill Chain Analysis

netsec-canary-415edf2dc49e.