Ivanti Connect Secure zero-day exploitation (CVE-2025-0282)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-0282 in Ivanti Connect Secure was exploited as a zero-day starting in mid-December 2024, creating a breach path for affected appliances. The exploitation was linked to UNC5221, a threat actor associated with China. The abuse shows the flaw was operationally useful before many defenders had visibility into it. CISA's later analysis indicates compromised systems may still harbor a dormant implant.
Related Happenings
Langflow CVE-2026-33017 exploitation wave
Exploitation Wave
First: 20.03.2026 12:20
Last: 20.03.2026 12:20
Sources 1
About this happening:
**CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...
Langflow CVE-2026-33017 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...
Rising zero-day exploitation across end-user and enterprise products in 2025
Target Trend
First: 05.03.2026 17:03
Last: 05.03.2026 17:03
Sources 1
About this happening:
**Zero-day exploitation** stayed elevated in **2025**, with **90 actively exploited flaws** spread across **end-user platforms** and **enterprise products**. That matters because...
Rising zero-day exploitation across end-user and enterprise products in 2025
Target TrendAbout this happening: **Zero-day exploitation** stayed elevated in **2025**, with **90 actively exploited flaws** spread across **end-user platforms** and **enterprise products**. That matters because...
RESURGE malware analysis update adds stealth, TLS, and C2 findings on Ivanti Connect Secure
Technical Analysis
First: 26.02.2026 14:00
Last: 26.02.2026 14:00
Sources 1
How related:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.
About this happening:
New technical findings on **RESURGE** sharpen detection of a stealthy implant that can hide on **Ivanti Connect Secure** devices and enable covert **SSH-based command-and-control*...
RESURGE malware analysis update adds stealth, TLS, and C2 findings on Ivanti Connect Secure
Technical AnalysisHow related: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.
About this happening: New technical findings on **RESURGE** sharpen detection of a stealthy implant that can hide on **Ivanti Connect Secure** devices and enable covert **SSH-based command-and-control*...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
CISA KEV mitigation for BeyondTrust CVE-2026-1731
Advisory/Mitigation
First: 20.02.2026 19:02
Last: 20.02.2026 19:02
Sources 1
About this happening:
CISA ordered urgent **KEV** mitigation for **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access**, forcing affected federal deployments to **apply th...
CISA KEV mitigation for BeyondTrust CVE-2026-1731
Advisory/MitigationAbout this happening: CISA ordered urgent **KEV** mitigation for **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access**, forcing affected federal deployments to **apply th...
Timeline
-
27.02.2026 17:57 2 articles · 2mo ago
CISA updates RESURGE analysis for Ivanti devices
Technical Analysis UpdateCISA released updated technical details on RESURGE, a malicious 32-bit Linux Shared Object file named libdsupgrade.so used in zero-day attacks exploiting CVE-2025-0282 against Ivanti Connect Secure devices. The bulletin describes network-level evasion, fake Ivanti certificate authentication, Mutual TLS access, dormant behavior until a remote connection attempt, and guidance to use updated indicators of compromise to find and remove compromised devices.
Show sources
- CISA warns that RESURGE malware can be dormant on Ivanti devices — www.bleepingcomputer.com — 27.02.2026 17:57
- CISA warns that RESURGE malware can be dormant on Ivanti devices — www.bleepingcomputer.com — 27.02.2026 17:57