CISA Warns of RESURGE Malware Targeting Ivanti Devices

CISA issued a warning about RESURGE malware exploiting zero-day flaws in Ivanti Connect Secure gateways. This threat uses CVE-2025-0282, a stack buffer overflow, to gain initial access. It persists through reboots and steals credentials from enterprise networks.

Ivanti products serve as VPN gateways for remote access in businesses and government. Attackers overflow memory buffers with excess data. This lets them run arbitrary code on the device. CISA added this CVE to its Known Exploited Vulnerabilities list on January 8, 2025, after exploits appeared in late 2024.

Analysts found RESURGE on a critical infrastructure Ivanti device. It pairs with SPAWNSLOTH for log deletion and dsmain for boot image tampering. Together, they form a full attack chain: entry, cleanup, persistence.

RESURGE evolves from SPAWNCHIMERA malware. The file libdsupgrade.so acts as rootkit, dropper, backdoor, bootkit, proxy, and tunneler. It handles nearly every post-breach need in one package.

Malware Components

The malware loads via ld.so.preload at startup. This runs it before other processes. A web shell lands on the boot disk for remote control. Coreboot images get modified to survive resets.

RESURGE hides with forged TLS certificates and CRC32 hashing. Normal traffic passes to the real server. Attacker commands trigger only on matches. This keeps scans blind.

Attack Impact

Compromised gateways expose full networks. Attackers harvest credentials, add accounts, reset passwords, and escalate rights. No alerts trigger during quiet operations.

CISA recovered samples from real breaches. Ivanti devices sit at network edges. One breach opens everything inside.

Mitigation Steps

• Factory reset hardware devices.
• Use clean external images for cloud/virtual setups.
• Reset all credentials, including krbtgt twice.
• Revoke affected device access temporarily.
• Monitor admin accounts for odd activity.

Report issues to CISA at [email protected] or (888) 282-0870.

FAQ