In March 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) detailing a new malware variant named RESURGE. This malware exploits the critical vulnerability CVE-2025-0282 in Ivanti Connect Secure appliances, posing significant threats to network security.

Background on RESURGE Malware and CVE-2025-0282

RESURGE is a sophisticated malware variant that shares capabilities with the SPAWNCHIMERA malware, including persistence across reboots. However, RESURGE introduces unique commands that enhance its functionality:

  • Web Shell Creation: Establishes a web shell to facilitate remote command execution.
  • Integrity Manipulation: Alters system integrity checks to evade detection.
  • File Modification: Modifies system files to maintain control over the compromised device.

CVE-2025-0282 is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code remotely, leading to potential system compromise. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025, highlighting its active exploitation in the wild. (cisa.gov)

Implications and Impact

The exploitation of CVE-2025-0282 through RESURGE has several critical implications:

  • Credential Harvesting: RESURGE enables attackers to harvest credentials, facilitating unauthorized access to sensitive systems.
  • Privilege Escalation: The malware can create accounts and reset passwords, allowing attackers to escalate privileges within the compromised network.
  • Persistence Mechanisms: By copying itself to the Ivanti running boot disk and manipulating the coreboot image, RESURGE ensures persistence even after system reboots.

These capabilities underscore the severity of the threat posed by RESURGE and the necessity for prompt mitigation actions.

Technical Details

RESURGE operates by exploiting CVE-2025-0282 to gain initial access to Ivanti Connect Secure appliances. Once inside, it performs the following actions:

  1. Web Shell Deployment: Sets up a web shell to allow remote command execution.
  2. Integrity Check Manipulation: Alters system integrity checks to avoid detection by security tools.
  3. File Modification: Modifies system files to maintain control over the device.
  4. Persistence Establishment: Copies itself to the Ivanti running boot disk and manipulates the coreboot image to ensure persistence.

CISA has provided YARA and SIGMA detection rules to assist in identifying RESURGE infections. Organizations are encouraged to implement these detection mechanisms to enhance their security posture. (cisa.gov)

Defense Strategies

To mitigate the risks associated with RESURGE and CVE-2025-0282, organizations should adopt the following strategies:

  1. Immediate Patching: Apply the security updates released by Ivanti to address CVE-2025-0282. (cisa.gov)
  2. Comprehensive System Reset: Conduct a factory reset of affected devices using a known clean image to ensure complete removal of the malware. (cisa.gov)
  3. Credential Management: Reset credentials for all accounts, including privileged and non-privileged accounts, to prevent unauthorized access.
  4. Access Control Review: Temporarily revoke or reduce privileges for affected devices to contain potential breaches.
  5. Continuous Monitoring: Monitor systems for signs of unauthorized access and anomalous activity to detect and respond to threats promptly.

By implementing these measures, organizations can strengthen their defenses against RESURGE and similar cyber threats.

Conclusion

The discovery of RESURGE malware exploiting CVE-2025-0282 highlights the evolving nature of cyber threats targeting critical infrastructure. Organizations must remain vigilant, apply timely patches, and adopt comprehensive security practices to safeguard their systems against such sophisticated attacks.